Greek Honeynet Project
HRA Status Report Apr/05 – Sep/05

1.0 DEPLOYMENTS

1.1 Current technologies deployed

We are running two Honeynets: the first one is our production Honeynet, while the second one is used as a platform for testing new technologies.

1) Honey-1: This is our production platform. Data from this honeynet are systematically gathered in a central repository and analyzed.
The topology of Honey-1 is more or less the same as in the previous semester.

Honeywall: eeyore 0.69
Honeypots: 1 Fedora Core 3 (on VMware Workstation 5.0)
1 Debian 3.0r0 (on VMware Workstation 5.0)
1 Slackware 10.0
1 WinXP Pro SP2

Topology: http://www.honeynet.gr/honey1/topol1.png


Description:
Following our study on how to implement more realistic honeypots in order to attract more advanced attacks, we launched a honeynet to test these ideas. Honey-1 was enhanced with the following characteristics (we will avoid giving detailed information, so as not to blow our cover):

- Our honeynet has an identity and a business plan.
- Our small company consists of real personnel and clientele.
- It has a registered domain name.
- There is php-based Web site.
- There are real user accounts and pop accounts.
- The two virtual machines run manually configured (near) real services (ftp, http, e-mail, dns).
- Word processing and other popular software are installed in the two desktop systems.
- Home directories and ftp site have been populated with user documents, sheets even with music files, howto's and manuals.
- We have planted several "sensitive-looking" files

2) Honey-2: Non-production Platform

Honeywall: roo-1.0.hw-189
Honeypots: 1 RH 9 fully patched (DNS server)
4 honeyd virtual hosts (various machines)

Topology: http://www.honeynet.gr/honey2/topol2.png

1.2 Lessons learned from the technology, what we like about it

We really like the remote system management capabilities of Walleye. That way you can monitor and administer the honeywall from a single front-end. The use of SSH is eliminated in certain extreme situations.


1.3 Lessons learned from the technology, what is lacking / needs improvement

What might be missing, in our humblest opinion, is a way of demonstrating some quick facts to the general public without worrying about thinks such as anonymization. We have been working with HoneyStats in that direction.


2.0 FINDINGS

2.1 Number and type of systems compromised during six month period

We haven't seen any compromise, not even any Windows compromises. Our findings thus far do not justify our efforts on building more realistic honeypots.


2.2 Unique findings, attacks, tools, or methods

- The complete absence of any Windows-related events (might) be due to the fact that the Windows XP box has its firewall turned on (no antivirus installed though). This proves that Windows XP SP2 are more secure than its predecessors, since the firewall is turned on by default.

- There is an increase in SSH scans. These are possibly attempts for brute force attacks. We have seen this kind of activity in the past; we actually had a compromise via brute force guessing in 2004.

- We recorded about 40 connections from what appeared to be Code Red II infected machine (yes, it still exists). This was captured on our testing platform (Honey-2).

2.3 Trends seen in the past six months

- The ports most accessed for this period are 135/tcp, 139/tcp, 445/tcp, 1026/udp.

- A Windows box gets about 350 - 400 attacks a day.

- The last months we have seen an increase in SSH connections.

- There is a significant amount of SMTP traffic that is related to spam e-mail.

- A large numbers of attacking hosts are located within our Campus. We don't get any advanced attacks from that direction anymore, just plain old worm propagation.

2.4 Data analysis tools and methods being used

Our favorite analysis tools are: Snort, tcpdump, argus, acid, demarc, ethereal, tcpslice, and some custom scripts. We are beginning to familiarize with Walleye.

2.5 What analysis tools work well and what still needs to be developed

Walleye works well.

3.0 MISC ACTIVITIES

3.1 Presenting at conferences

---

3.2 Developing, testing or releasing code

- We have been developing a completely revised version of our statistics generating package.

The existing version

This is the Near-Real Time Monitor application in Greek's Honeynet web site illustrating some statistics about the collected data of our Honeynet. In detail, one can see for a specified period of time (last year, last month, last week, last 5 days, last day) what where the top 10 ports that were probed, the top 10 countries from which these probes were originated, the trend of the most active ports as well as the geographical location of the sources producing these probes.

A number of perl scripts that are executed once every day by a cron job produce the images illustrating these statistics, which are afterwards copied into the web server.

The idea behind this application was for someone to be able to easily and quickly become aware of the potential malicious activity our Honeynet is capturing.

The new, soon to be released version

This application was further developed in order to become more flexible and more efficient. The resulted package was named HoneyStats:
The scripts for calculating the statistics were significantly changed and new web pages were developed using the CGI technology. As a result, the site now acts as a flexible front-end where the user can dynamically query and search the collected data.

The NetGeo perl module used in mapping the IP address of the source that probed the Honeynet to its geographic location, has been substituted by the GeoIP perl module which is more accurate, as its database is updated monthly (NetGeo is no longer supported).

The database used by the package to store the events logged by the firewall was redesigned and now the full firewall logs are stored in it and not the unique ones as it was done in the initial package. That way the statistical calculations are more efficient.

This package can be used by a Honeynet Project so that it can easily share part of its findings with the outside world. It could act as an appealing interface to the public not closely involved with honeynets and potentially increase its interest to this technology. Also, it gives more value to the Data Collection process because Alliance members will be able to easily get an idea about the activity captured by other members.

- We have developed a perl script to fight the propagation of the Sasser worm. The script will be available on-line in a couple of days.

The script is invoked by honeyd as soon as an infected host tries to connect to 445/tcp port of virtual host. Below are the actions taken step-by-step :

  1. An LSASS attack is launched against the originating machine, using exploit code found in packetstormsecurity.org.
  2. After the successful buffer overflow in the remote Windows host, we connect to it through telnet.
    We create a .bat file in the "All Users" Startup folder with three commands: kill the process of the worm, remove from the registry key that loads the worm at Windows startup and finally delete the sasser executable. This particular binary exploit did not return an administrator command shell and thus it was not possible to terminate the running process of the worm, nor edit the registry. To overcome this, we took advantage of the fact that all Sasser variants (except Sasser.g) after a while crash the LSASS service and the machine reboots.
  3. After a while, the attacking host is rebooted and when any user with administrator privileges logs in, Sasser is removed.

The perl script was tested in a VMware environment.

- We conducted some more Roo testing and submitted a few bugs.


3.3 Publication of papers

---

3.4 Involvement in SotM challenges

---


3.5 Other

1. Complement our on-line resources (in greek) disseminating security learning examples, with the technical report following a student’s experiment with honeyd in our lab. Results were presented to Aegean University Computer Science department and got very positive reception. Topics covered were:

* Honeynets and Honeypots: Definitions, The HRA, Success stories
* Honeyd: Installation and Configuration, Applications
* Experimenting with Honeyd
* Data Analysis with Snort and Acid

2. Established a collaboration with Aegean University for students to get involved with our project with Honeynet technologies

3. Open a contact with Athens Technology Institute. They used our example deployment in the KYE book as part of a student project. We will exchange views about GenIII deployments


4.0 ORGANIZATIONAL

4.1 Changes in your structure of your organization.

---


5.0 LESSONS LEARNED

5.1 Positive things we would like to share with the community

---

5.2 Mistakes we would like to share with the community

- Roo needs a more powerful machine than eeyore, due to Walleye.

- Access lists on honeynet upstream devices filtered out certain types of traffic. The malicious traffic towards our newly deployed honeynet was somewhat limited. This must have had a huge impact on the captured activity.

- It is a cumbersome task to prepare realistic honeypots. It is very time consuming and error prone. - As we already mentioned, we are not satisfied with the findings of our new honeynet deployment (Honey-1). See below for some future actions on this issue.


6.0 FUTURE GOALS

6.1 Plans/Goals for next six months

- Some points we will consider to attract more activity in our new production honeynet :

- Write documentation for the HoneyStats package and other related tasks.

- Fully migrate to Roo. Utilize Walleye in our day-to-day analysis and take advantage of its advanced features.

- Continue testing / evaluating Roo.

- Enlist new active members from Universities exploiting the positive experience of the Honeyd experiment.

- Submit our papers for the individual's whitepapers area.