UK Honeynet Project 

Today we received our first bit of spam from EC2. The message itself was pretty standard:

From: "Microsoft" 
Date: 29 June 2008 11:47:43 BST
To: XXX
Subject: Important Update Notification

Hello XXX,

You are receiving this notification because the version of Windows you are running is effected by a critical security issue.

For the protection of yourself and others using the Windows operating system, it is reccomended that all consumers update their operating system at their earliest convenience.

To do so, you may visit Microsoft Update by clicking here, and simply pressing "Open" or "Run" to begin the automatic update process.

Thank you for your cooperation in resolving this matter.

Kind Regards,
Microsoft Customer Support 

The link points to a phishing site

http://XXX/go.nhn?url=http%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E00000000000000000000000000000000000000000000000000000000000000%2Enet

So far, so standard. The interesting bit is in the headers of the message:

Received: (qmail 29794 invoked from network); 29 Jun 2008 09:53:08 -0000
Received: from ec2-75-101-198-26.compute-1.amazonaws.com (HELO ec2-75-101-198-26.compute-1.amazonaws.com) (75.101.198.26)
  by server-14.tower-117.messagelabs.com with SMTP; 29 Jun 2008 09:53:08 -0000
From: "Microsoft" 

How long before all email from EC2 is blacklisted? It was only a matter of time before services like this started to be used for sending spam, but this is the first time I’ve seen it in the wild.

A hideously simplistic PHP handler for the nepenthes submit-http module. It Works For Me ™.

<?php

$ts=date('U');
$log= "timestamp=$ts";
$log.=",remotehost=".$_SERVER['REMOTE_ADDR'];

foreach ($_POST as $key => $value)
{
        switch ($key)
        {

        case "url":
        case "trigger":
        case "md5":
        case "sha512":
        case "filetype":
        case "source_host":
        case "target_host":
        case "filename":
          $$key = $value;

          $log .= ",$key=$value" ;
          break;
        }
}
$log=$log."\n";
$myFile = "/tmp/submit-log";
$fh = fopen($myFile, 'a');
fwrite($fh, $log);
fclose($fh);

?>

You’ll want your config file /etc/nepenthes/submit-http.conf to give this script as the URL, e.g. “http://myserver.example.com/submit.php” and enable the submit-http module in /etc/nepenthes/nepenthes.conf. After that, you probably want to figure out how to collect the binaries that nepenthes has just captured.

First, read the posting by David about nepenthes on openWRT. Then get p0f from here http://lcamtuf.coredump.cx/p0f.tgz.

cd kamikaze_9.04/dl
tar zxf ~/p0f.tgz
cd p0f
vi mk/Linux

#change these lines to the full path to your compiler, include and library dirs
# probably a nicer way to do it, but i'm in a hurry :) 
CC      = /home/jamie/slug/kamikaze_7.09/staging_dir_armeb/bin/armeb-linux-uclibc-gcc
LIBS    = -lpcap -I/usr/include/pcap -I/usr/local/include/pcap -I/home/jamie/slug/kamikaze_7.09/build_armeb/libpcap-0.9.4/ -L/home/jamie/slug/kamikaze_7.09/build_armeb/libpcap-0.9.4/

cd ..
mv p0f p0f-2.0.8
tar zcvf p0f-2.0.8.tgz p0f-2.0.8

cd ..

Now, create the Makefile below in packages/p0f/Makefile – remember to make sure it has tabs, not spaces! Then compile:

make package/p0f-compile V=99

Copy the ipkg file onto your openWRT box and install, the just type p0f to run:

== output ==

root@OpenWrt:~# p0f -l
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN) on 'eth0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
77.a.b.c:59460 - Linux 2.6 (newer, 2) (NAT!) (up: 200 hrs) -> 88.x.y.z:22 (distance 14, link: BT DSL (?))

== Makefile for p0f ==
#
# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
# $Id: Makefile 9695 2007-12-09 18:59:01Z nbd $

include $(TOPDIR)/rules.mk

PKG_NAME:=p0f
PKG_VERSION:=2.0.8
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=http://www.stearns.org/p0f
PKG_MD5SUM:=unknown

include $(INCLUDE_DIR)/package.mk

define Package/p0f
SECTION:=net
CATEGORY:=Network
DEPENDS:=+libpcap
TITLE:=P0f
URL:=http://http://www.stearns.org/p0f/
endef

define Package/p0f/description
P0f
endef

CONFIGURE_VARS += \
CPPFLAGS="$$$$CPPFLAGS -g " \
LIBS="-nodefaultlibs" \

define Build/Configure
$(call Build/Configure/Default,)
endef

define Build/Compile
$(MAKE) -C $(PKG_BUILD_DIR) DESTDIR="$(PKG_INSTALL_DIR)"
endef


define Package/p0f/install
install -d -m0755 $(1)/usr
install -d -m0755 $(1)/usr/bin
install -d -m0755 $(1)/etc
install -d -m0755 $(1)/etc/p0f
install -m0755 $(PKG_BUILD_DIR)/p0f $(1)/usr/bin
cp -R $(PKG_BUILD_DIR)/p0f.fp $(1)/etc/p0f
endef
#
$(eval $(call BuildPackage,p0f))

EuSecWest08 is over and seems to have been another success. The change of venue from the Victoria Park Plaza to Leicester Square and the Sound nightclub was an interesting move, which could of gone either way but seemed to work for most people and gave the event a slightly more underground, edgy feel. It was also a great location for after hours socialising.

The standard of presentations and content was generally good, with a number of interesting topics and useful new tools being released. Highlights for me were:

• Saumil Shah’s Teflon browser extension, which hooks javascript system calls such as document.write and replaces evil Javascript with harmless divs. This fits well with some of the recent evil JS research we have been doing, and we are going to do some collaboration here in the coming months.
• Alberto Revelli gave an excellent talk on taking SQL Injection vulnerabilities on Windows platform to the next level and using SQLNinja to establish a working remote graphical desktop. Good to see old techniques like building executables from ASCII HTTP requests plus debug.exe coming back into fashion, and an excellent example of how to escalate control from an initial foothold.
• Martyn Ruk’s review of IBM’s MQ middleware and identication of some surprisingly simple potential vulnerabilities in a number of areas. Good to see someone looking at MQ security and building tools for auditing MQ systems.

Hot topics for the press were Justin Ferguson’s talk on exploiting interpreted languages like Python and PERL, resulting in potentially remotely exploitable vulnerabilities in services like the recently released Google App Engine, and Sebastian Muniz’s talk on developing the first public Cisco IOS rootkit. Both were impressive and it will be interesting to see what happens in this space over the next few months.

I gave another lightning talk on Evil Javascript and SpamMonkey, which we hope to start making public soon. You can find the slides here.

As always, one of the best things about the event was the opportunity to meet up with interesting people in a relaxed environment and discuss what they were working on. It was also good to get a chance to catch up with friends and various industry people. Lots of interesting contacts and discussions, and hopefully we’ll release some research in the coming months that will have benefited from them. All in all, another interesting and enjoyable (sleep deprived) SecWest event.

I’m in London this week for EuSecWest08, the European version of the excellent CanSec and PacSec series of conferences, which is happening tomorrow and Thursday in Leicester Square. A couple of scheduled talks are generating interest on the net already:

• Sebastian Muniz’s “Da IOS Rootkit” talk will review his reverse engineering and kernel hooking approach to building a reliable Cisco IOS rootkit
• Justin Ferguson’s “Advances in attacking interpreted languages” will cover the attack surface and potential vulnerabilities in Google’s recently release App Engine.

Hopefully EuSec will be another interesting and entertaining event, with any honeynet-related news and events to follow.

Experimentation with running Nepenthes malware collectors on the OpenWrt emebedded platform continues, so I’ve updated the Nepenthes on OpenWrt HOWTO with information on building x86 ports to run under VMWare and also added build instructions for the Mikrotic Routerboard 532a embedded device.

I recently came across an interesting paper by researchers at Vrije University in Amsterdam (the hosts for last month’s WOMBAT workshop). It details a project they call “Eudaemon” (a good spirit from Greek mythology) which borrows from the heavily instrumented system-wide dynamic taint analysis approach of the Argos honeypot but instead ports Argos’s dynamic taint analysis engine to a user-space emulator called SEAL. Individual suspect processes within a high interaction honeypot can be marked for “possession” by Eudaemon, are temporarily frozen then are passed into SEAL for dynamic taint checking (by transparently pre-loading the emulator library into the memory space for every process and using ptrace to attach to the frozen process) and can be subsequently released cleanly once detailed instrumentation complete. Their initial benchmarks show significant performance improvements over Argos’s system-wide approach (which typically slows down a running virtual machine by an order of magnitude or more), and this appears to be the first security system that allows fully native applications to be switched into emulated operation mid-process. Definitely worth a read from a high interaction honeypot perspective (particularly for client honeypot applications), and I’m looking forward to seeing working code.

For Phase Two of our Global Distributed Honeynet Project (GDH) I’ve been continuing to explore how to extend our sensor deployment footprint at minimum cost. Mixed High and low interaction nodes will always require real server / PC hardware, but for a number of years I’ve been interested in using “plug and play” low interaction-only honeypots such as Nepenthes malware collectors via bootable or embedded devices. These devices are much easier to mass produce and distribute to project members, and with consumer device price levels continuing to fall it has become practical to distribute such sensors on a larger scale internationally (ie hundreds rather than tens of live sensor nodes).

Deployment options are generally based around two models:

1. Local sensor, with honeypot software running locally on the sensor.
2. Gateway sensor, with no honeypot software running locally and instead some form of tunnelling solution (GRE, IPSEC, OpenVPN, Honeymole, etc) being used to transparently bridge IP traffic to a central honeyfarm.

I won’t go into too much detail here at this stage, but as we plan to roll out an expanded data collection system along these lines during 2008 you can expect to see more information here in the future.

As part of the background research into building reliable low cost low interaction honeypots, I’ve recently needed to port a number of tools such as Nepenthes to various embedded devices for testing. As this turned out to be a little more time consuming than originally expected, I’ve posted a HOWTO guide for building Nepenthes on the OpenWRT embedded platform. Hopefully this information might help anyone else interested in similar research save a few hours of confusion.