UK Honeynet Project

Embedded Nepenthes - malware collection using OpenWRT

david — Wed, 07 May 2008 15:22:08 +0000

For Phase Two of our Global Distributed Honeynet Project (GDH) I’ve been continuing to explore how to extend our sensor deployment footprint at minimum cost. Mixed High and low interaction nodes will always require real server / PC hardware, but for a number of years I’ve been interested in using “plug and play” low interaction-only honeypots such as Nepenthes malware collectors via bootable or embedded devices. These devices are much easier to mass produce and distribute to project members, and with consumer device price levels continuing to fall it has become practical to distribute such sensors on a larger scale internationally (ie hundreds rather than tens of live sensor nodes).

Deployment options are generally based around two models:

Local sensor, with honeypot software running locally on the sensor.
Gateway sensor, with no honeypot software running locally and instead some form of tunnelling solution (GRE, IPSEC, OpenVPN, Honeymole, etc) being used to transparently bridge IP traffic to a central honeyfarm.

I won’t go into too much detail here at this stage, but as we plan to roll out an expanded data collection system along these lines during 2008 you can expect to see more information here in the future.

As part of the background research into building reliable low cost low interaction honeypots, I’ve recently needed to port a number of tools such as Nepenthes to various embedded devices for testing. As this turned out to be a little more time consuming than originally expected, I’ve posted a HOWTO guide for building Nepenthes on the OpenWRT embedded platform. Hopefully this information might help anyone else interested in similar research save a few hours of confusion.

First WOMBAT workshop

david — Fri, 25 Apr 2008 15:19:05 +0000

Jamie and myself from the UK Honeynet Project plus Max Kilger and Thorsten Holz from the UNCC and German Honeynet Project Chapters were in Amsterdam this week for the first workshop held by the European Commission’s 7th Framework WOMBAT project (see previous posts for more details).

The workshop was held at Vrije University south of the city centre and included members of the WOMBAT consortium and invited guests who were active in the fields of honeynet deployments, malware analysis and large scale data collection. Over two days we were introduced to the three year WOMBAT project, its goals and members and a number of short presentations were given by the invited guests from the EU, US, Asia and Australia. David spoke about the Honeynet Project’s various data collection initiatives, including the Global Distributed Honeynet Project (GDH), and Max spoken about attacker profiling models. The proceedings will be published in the journals of IEEE Computer Society later in the year and we’ll post them when we are able to.

Overall an interesting event with lots of opportunity for collaboration and information sharing that will hopefully come to fruition. Of particular interest was the honeyclient work that the Polish CERT NASK were involved in, which was remarkably similar to our own recent activity on Evil Javascript and SpamMonkey that I gave a lightning talk on at CanSecWest08 last month. Like us, they hope to release their code as open source in the coming weeks and months, so we are look forward to seeing it.

WOMBAT 2008 papers accepted

david — Fri, 04 Apr 2008 14:06:05 +0000

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.

CanSecWest08

david — Thu, 03 Apr 2008 14:41:39 +0000

I was in Vancouver last week as a backup speaker for CanSecWest08 . Once again, this was an good event, with plenty to keep me interested. It was also a great chance to catch up with Honeynet Project members, various friends in the security community and also to meet up with new people and exchange ideas. Kudos to Dragos for another excellent event, and also to Honeynet Project alumni Shane for winning the Pwn20wn contest for the second year in a row. Presentations should be on the web site shortly.

In the end, and for the first time ever, all the speakers made it to the event and I didn’t need to give a repeat performance of my PacSec07 GDH presentation. However, I did give a lightning talk entitled Evil Javascript and SpamMonkey that introduced a couple of projects the UK Honeynet Project team have been working on recently. You can find the slides here and hopefully we’ll be releasing the code and some sample results in the coming months.

Global Distributed Honeynet (GDH) Phase Two starting

david — Wed, 02 Apr 2008 14:33:16 +0000

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

Capture-HPC version 2.1 released

Steve — Thu, 27 Mar 2008 15:16:45 +0000

A new release of Capture-HPC has been made available:

“The Honeynet Project (http://www.honeynet.org) and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington (http://www.mcs.vuw.ac.nz/) are excited to announce the release of Capture-HPC v2.1. Capture-HPC is an innovative security product that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from our web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.”

Improvements include better performance, increased data capture and a new client plug-in framework.

The full press release can be found here:

http://www.honeynet.org/press/honeynet-project-press-release-capture-hpc.pdf

New version of Argos honeypot released

david — Tue, 11 Mar 2008 12:59:35 +0000

The team over at Vrije University in Amsterdam (the location for the upcoming invite-only WOMBAT honeynet data sharing workshop) have released a new version of their Argos honeypot tool:

http://www.few.vu.nl/argos/

This interesting honeypot system uses dynamic taint analysis to track network data and identify unknown malware. So far we’ve only experimented with it, but it looks like a promising project and an ideal companion to Nepenthes based capture of known malware variants.

UKHP attend ISOI4

david — Tue, 04 Mar 2008 12:45:54 +0000

I was one of the attendees at the fourth ISOI workshop last week, which this time was held in sunny San Jose. Once again, the event had an interesting range of presentations and discussions, mostly focused around what system defenders could do now to make a difference to the continuing tide of cybercrime observed every day. There was also plenty of opportunity to catch up with people in the security community, and put faces to names, so thanks to Gadi and co for the continued invites. I also got a bit of time to hang out with various Honeynet Project people and some of the guys from Shadowserver, and hopefully we’ll see some interesting spin offs in the coming months. Being from the UK, the obligatory Silicon Valley geek tourism was also fun too.

WOMBAT Workshop 2008

david — Wed, 20 Feb 2008 12:59:36 +0000

The Honeynet Project have been invited to submit a paper to the upcoming invite-only Worldwide Observatory of Malicious Behaviors and Attack Threats (a href=”http://wombat-project.eu”>WOMBAT) honeynet workshop at Vrije University in Amsterdam on the 21st and 22nd of April. David and Jamie from the UKHP will be organising the Honeynet Project’s submissions, and we hope to have at least one presentation accepted for publication in the journal of the IEEE.

For more details see http://wombat-project.eu/2008/04/wombat-closed-workshop-april-2.html

New release of the Honeywall CDROM

arthur — Fri, 04 Jan 2008 14:01:57 +0000

There’s a new (beta) release of the Honeynet Project’s “Honeywall” CDROM out. This release (1.3b) fixes some bugs but the main change is a move from the no longer supported Fedora Core 6 platform to CentOS 5. This should give us less work keeping the base platform up to date and more time to work on adding cool new features

We’ve also moving to a more open development model for the CDROM. Although it’s always been GPL’d, the development processes has been closed and it’s been hard for outsiders to add features/hack code. I’m pleased to say that that’s now changed, and there’s a new Trac site with a svn tree, wiki and all the usual stuff. The Honeywall public mailing list is also still available.

Cool stuff that will be coming in the future includes a move to hflow2 for better flow decoding and analysis and changes to the build processes to make it easier to use.

Credits: Earl Sammons, Rob McMillen and myself did the CentOS port. Steve Mumford and Dave Watson did all the work in setting up our new infrastructure to enable more open development.