UK Honeynet Project 

The Honeynet Project released a new Know Your Enemy: “Behind the Scenes of Malicious Web Servers” white paper today, which follows up on recent publications about malicious web sites and attacks against common web clients.

Abstract:

“In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies.”

Lots of cross over with recent UKHP activity and well worth a read.

The October edition of Elsevier’s Network Security publication contains part one of an article on web application attacks written by David Watson of the UK Honeynet Project, with the second part to follow in November.

The line-up for this years PacSec07 conference in Tokyo on November the 29th was announced today, and will include a presentation on deploying and operating a global distributed honeynet by David Watson of the UK Honeynet Project. This presentation will follow up on previous EuSec and CanSec lightning talks about GDH and will hopefully coincide with the release of more public information about the GDH research initiative.

David Watson was interviewed this week by BBC News, for piece on identity theft and attacks against Internet users.

The Honeynet Project published it’s annual status report today, which includes a round up the R&D activity undertaken by members during the previous year. Details of some UK Honeynet Project are also included.

The New Zealand Honeynet Project have been busy with version two of their Capture-HPC client honeypot application, which we use internally for crawling and analysis of suspect URLs. Some of the new features include:

* support for any client application that is http protocol aware (for example, Microsoft Excel)

* ability to automatically collect malware

* ability to automatically collect network traffic on the client

* ability to push exclusion lists from the Capture Server to the Capture Client

* improved control of Internet Explorer: obtain HTML error codes; specify visitation delay after page has been retrieved; retry visitation of URLs in case of time outs or network errors)

* support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web ( e.g. Safari is such an application. It doesn’t allow retrieval of web content by passing the URL as a parameter)

Highly recommended if you are interested in research in this area, as it is very actively maintained and has been effective in our experience.

Lance Spitzner was one of the keynote speakers at Hack-In-The-Box 2007 in Malaysia this week, and talked about some of the research we have been involved in recently (including the Honeynet Project’s Global Distributed Honeynet initiative - GDH, which David led). More details can be found at the conference web site.

I’ve wanted to post this graph for a while but only just got round to anonymising the data.

Looking at piles of IRC logs can be very unilluminating, but it’s not obvious what to do with all the data. One nice way of getting a handle on links between channels is to plot channels with links between them weighted by the number of users in common.

The example above is from a honeynet we ran in 2004/5. The graph shows up a couple of things nicely:

1) There are two distinct groups of channels, and a look at the data shows that there two groups correspond to channels in different languages and,
2) The strong links between a couple of channels in the main group show up that these channels are related and looking at the data shows them to be used for discussing hacking, while the other channels are innocuous.

The original channel names have been replaced by ‘cN’ to protect the guilty.