I recently came across an interesting paper by researchers at Vrije University in Amsterdam (the hosts for last month’s WOMBAT workshop). It details a project they call “Eudaemon” (a good spirit from Greek mythology) which borrows from the heavily instrumented system-wide dynamic taint analysis approach of the Argos honeypot but instead ports Argos’s dynamic taint analysis engine to a user-space emulator called SEAL. Individual suspect processes within a high interaction honeypot can be marked for “possession” by Eudaemon, are temporarily frozen then are passed into SEAL for dynamic taint checking (by transparently pre-loading the emulator library into the memory space for every process and using ptrace to attach to the frozen process) and can be subsequently released cleanly once detailed instrumentation complete. Their initial benchmarks show significant performance improvements over Argos’s system-wide approach (which typically slows down a running virtual machine by an order of magnitude or more), and this appears to be the first security system that allows fully native applications to be switched into emulated operation mid-process. Definitely worth a read from a high interaction honeypot perspective (particularly for client honeypot applications), and I’m looking forward to seeing working code.
Archive for the ‘Tool Releases’ Category
A new release of Capture-HPC has been made available:
“The Honeynet Project (http://www.honeynet.org) and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington (http://www.mcs.vuw.ac.nz/) are excited to announce the release of Capture-HPC v2.1. Capture-HPC is an innovative security product that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from our web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.”
Improvements include better performance, increased data capture and a new client plug-in framework.
The full press release can be found here:
The team over at Vrije University in Amsterdam (the location for the upcoming invite-only WOMBAT honeynet data sharing workshop) have released a new version of their Argos honeypot tool:
This interesting honeypot system uses dynamic taint analysis to track network data and identify unknown malware. So far we’ve only experimented with it, but it looks like a promising project and an ideal companion to Nepenthes based capture of known malware variants.
There’s a new (beta) release of the Honeynet Project’s “Honeywall” CDROM out. This release (1.3b) fixes some bugs but the main change is a move from the no longer supported Fedora Core 6 platform to CentOS 5. This should give us less work keeping the base platform up to date and more time to work on adding cool new features
We’ve also moving to a more open development model for the CDROM. Although it’s always been GPL’d, the development processes has been closed and it’s been hard for outsiders to add features/hack code. I’m pleased to say that that’s now changed, and there’s a new Trac site with a svn tree, wiki and all the usual stuff. The Honeywall public mailing list is also still available.
Cool stuff that will be coming in the future includes a move to hflow2 for better flow decoding and analysis and changes to the build processes to make it easier to use.
Credits: Earl Sammons, Rob McMillen and myself did the CentOS port. Steve Mumford and Dave Watson did all the work in setting up our new infrastructure to enable more open development.
A new low interaction honeypot called Amun was released last week, by a German researcher called Jan Göbel at the University of Aachen. Amun takes a similar approach to nepenthes and is also designed to collect samples of autonomous spreading malware by emulating vulnerable network services and then downloading malicious payloads for analysis. It is python and XML based, so should be easy to extend, and can be downloaded here. Worth checking out.
The New Zealand Honeynet Project have been busy with version two of their Capture-HPC client honeypot application, which we use internally for crawling and analysis of suspect URLs. Some of the new features include:
* support for any client application that is http protocol aware (for example, Microsoft Excel)
* ability to automatically collect malware
* ability to automatically collect network traffic on the client
* ability to push exclusion lists from the Capture Server to the Capture Client
* improved control of Internet Explorer: obtain HTML error codes; specify visitation delay after page has been retrieved; retry visitation of URLs in case of time outs or network errors)
* support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web ( e.g. Safari is such an application. It doesn’t allow retrieval of web content by passing the URL as a parameter)
Highly recommended if you are interested in research in this area, as it is very actively maintained and has been effective in our experience.
There has been a number of releases of new and interesting tools by members of the Honeynet Project’s and the Research Alliance over the past few weeks. In particular, the following are definitely worthy of further investigation:
HoneyC is a low interaction client honeypot / honeyclient designed emulate web clients and identify malicious servers on the web. HoneyC is developed and maintained by Christian Seifert of the NZ Chapter.
Capture-HPC is a high interaction client honeypot. A client honeypot is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. Capture-HPC is developed and maintained by Christian Seifert of the NZ Chapter.
CaptureBAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.
Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network and is it designed to sit in-line in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the German Honeynet Project.
The High Interaction Honeypot Analysis Toolkit (HIHAT) attempts to transform arbitrary PHP applications into web-based high-interaction honeypots. A typical use would be the transformation of PHPNuke, PHPMyAdmin or OSCommerce into a full functional honeypot, and HIHAT provides a graphical user interface to supports the process of monitoring the honeypot, analyzing the acquired data and generating statistics. Developed and maintained by Michael Mueter of the German Honeynet Project.