### UNAM Honeynet Project ### Status Report March 2007 1.0 DEPLOYMENTS =============== 1.1 Current honeynets deployed. We're currently running 2 GenIII Honeynets with different OSs versions as not virtualized high interaction honeypots. These honeynets are based on Honeynet Project's bootable Honeywall CDROM. Also we're running a Darknet using a similar architecture for network monitoring based on sguil, snort, argus, tcpflow and several other tools for data capture and analysis. Additionally we are running a Global Distributed Honeynet node in Mexico. We keep up honeypots for malware capture, every sample is shared with the MwCollect Alliance members. We're using this infrastructure as an early warning and intrusion detection system so we can proceed not only with the incident response but also to identify emerging threats in the Internet and share this knowledge with the community. Data capture: -Sebek -Honeytrap -Honeywall -Nepenthes Data analysis: -Walleye -Sguil -Honeywall scripts -Honeysnap Honeypots: -1 Windows XP Professional -1 Windows 2000 Advanced Server -2 Fedora Core 3 -2 RedHat Linux 9 -8 Nepenthes Honeypots 2.0 FINDINGS =============== 2.1 Highlight any unique findings, attacks, tools, or methods. We have observed activity in our darknet and honeynets few hours after the first observation by other security teams, like the exploitation attempts of telnetd vulnerabilities in Solaris 10 and Solaris 11 (CVE-2007-0882), and the worm activity regarding to Symantec security advisory SYM06-010, before we could capture the first malware sample related to it. Also we could identify remote denial of service attacks against sites located in Russia, Spain, United States and China using our address space through the backscatter traffic analysis, most of this activity was against IRC servers suspected of being used as botnet C&C servers. The brute force attacks against Secure Shell was the most observed activity, followed by malware propagation through vulnerable Windows services (especially Korgo and SdBot variants), http proxy scans so intruders can hide their browsing activities and webmin and usermin service scans (10000/tcp and 20000/tcp respectly) trying to exploit the CVE-2006-4542 vulnerability along with other activity like MySQL and RealVNC scans, FTP brute force attacks and scans for vulnerable Apache servers to CVE-2003-0545. Most of the SSH scans was originated from Latin American networks (including Colombia, Argentina, Peru and Brazil) and from the United States. We identified several brute force attacks from the same IP address in the US, but once the attacker got access to the honeypot, she logged in from a different IP address located in Mexico in order to install an IRC file server (iroffer) and connect the honeypot to a popular WAREZ IRC network. Also we captured the activity regarding a SSH break-in from a Rumanian IP, once the attacker gained root privileges through do_brk() exploit, she replaced the sshd daemon with a trojanized version allowing her remote access with a predefined password in the code. After a couple of days the same honeypot was compromised by the same method (weak password) through SSH, but in this case the attacker was the same one from the previous iroffer incident. She procceed in the same way, connecting the honeypot to the same WAREZ network without realize neither the previous break-in nor the trojanized sshd daemon. Once the Rumanian came back and realized the IRC file server process, she killed it and erased every file and evidence related to the second intrusion after a detailed analysis of the logs and files created recently in the system, as a way to prevent the discovering of anomalies by the user. In another incident related to SSH brute force successful attacks we identified the download and execution of a perl script with a base64 string in it, after decoding it we realized it was a perl bot receiving orders from a C&C server located in Russia. This perl bot can search for vulnerable web services especially through the Australian Google server. During a couple of days the scans were for vulnerable Flashchat servers to CVE-2006-4583 vulnerability. 2.2 Any trends seen in the past six months. We have seen that most vulnerabilities being exploited in Windows systems were through automatic means, without the involvement of the attacker and trying to exploit known vulnerabilities, by malware updated with recent exploit code like SYM06-010 at the beginning of this year. However Unix compromises needed some kind of interaction from the attacker who attempted to erase every evidence of compromise in the system, even those generated by other successful attacks. 3.0 LESSONS LEARNED =================== 3.1 What new positive things can you share with the community, so they can replicate your success? Information collected by the honeynets is very useful in our daily incident handling tasks in our university. We have identified several threats including malware propagation techniques, port-scan trends and honeypot compromises so we could provide, in most cases, timely alert and assistance to our internal IT staff. Also, this information has been useful in other security strategies in our network. The analysis in a controlled environment of the malware captured by our honeypots, provide us the information needed to track threats like botnets so we can defeat them through the sink holing of every connection from bots in our network in critical situations. We pass this information along to our incident response team too. 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? Don't try to analyze data without a plan, it's important to develop a data analysis protocol before opening network traffic files in Wireshark. Also use several tools for data analysis, even to get the same thing; sometimes these tools are not capable to show the results in the proper manner. This plan has to be updated and improved through your daily analysis work. Be aware of the laws and policies in your country or organization before use honeypots, sometimes you can break the rules if you capture or share network traffic without prior explicit permission. 3.3 Are there any research ideas you would like to see developed? We would like another way to analyze network traffic from our honeynets additional to a web browser. We have been using sguil in a testing honeynet lab, and even it doesn't have all the capabilities of honeywall, it would be great to design and develop a data analysis tool based in the architecture of sguil and honeywall database, so we could use the same interface (a dedicated gui) to analyze traffic from several honeynets in a distributed environment. 4.0 TECHNOLOGY ======================= 4.1 What tools or functionality are we lacking, what do we need to work on? Sometimes when the data captured is sizable, the data analysis through Walleye web interface is tedious, due to limitations on the Web browser to display large amount of data during an investigation. 4.2 What new tools or technology are you working on? We will start testing Capture-HPC using a url feeder for the Capture Server from several email drop accounts. The email addresses will be used in several sites like newsgroups and forums sites so we can feed our honeyclient with the urls included in spam email, and see the activity in these dubious sites. 4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? It would be great to work with other honeyclients like HoneyC and MITRE's honeyclient. 5.0 PAPERS AND PRESENTATIONS ============================ 5.1 Are you working any papers to be published, such as KYE or academic papers? We are working in a paper regarding our experiences in botnet quarantine strategies using the DNS and darknet operations, this work will be presented in the Computer Security Congress Mexico 2007 in June. 5.2 Are you looking for any data or people to help with your papers? It would be great to hear any experience in network telescopes (darknets) operation, any findings and mistakes you can share would be worth. 5.3 Where did you publish/present honeypot-related material? The UNAM Honeynet Project - Computer Security National Network, 2nd Technical Forum of Metropolitan Region, Mexico City Mar. 2007 - Mexico. DNS, honeynets and darknets for passive network monitoring within academic networks - XII Simposium Internacional de Ingenierķas en Sistemas Computacionales, ITESM Toluca, Edo. Mexico Sept. 2006 - Mexico. 6.0 ORGANIZATIONAL ================== 6.1 Changes in the structure of your organization. A fellowship holder ceased his activities in the project. 6.2 Your feedback on Alliance activities. We couldn't assist to the last honeynet meeting. It would be great to improve our sharing in malware and botnets findings with other teams. 6.3 Any suggestions for improving the Alliance? We could share tools and malware samples found in our logs in a common repository for further analysis. 7.0 GOALS ========= 7.1 Which of your goals did you meet for the last six months? We have been working with other universities in Mexico so we can put honeypots by the middle of this year in their networks, followed by a training program for their network operators in intrusion detection skills and notifying them of any event of interest, with a non-disclosure agreement previously signed by each university. 7.2 Which of your goals did you not meet for the last six months? The use of honeyclients to analyze several sites reported in security forums. 7.3 Goals for the next six months Recruit additional members from the UNAM-CERT fellowship program. Install and operate Capture-HPC using several urls from spam email. Also work in the deployment of a bigger darknet using the unused address space in our network, we are planning to use both passive (as a packet vacuum) and active sensors (like honeypots) so we can get more nasty activity through it. Currently we are in the testing phase of this project. 8.0 MISC ACTIVITIES ==================== 8.1 Anything else not covered you would like to share.