UK Honeynet Project 

I’ve wanted to post this graph for a while but only just got round to anonymising the data.

Looking at piles of IRC logs can be very unilluminating, but it’s not obvious what to do with all the data. One nice way of getting a handle on links between channels is to plot channels with links between them weighted by the number of users in common.

The example above is from a honeynet we ran in 2004/5. The graph shows up a couple of things nicely:

1) There are two distinct groups of channels, and a look at the data shows that there two groups correspond to channels in different languages and,
2) The strong links between a couple of channels in the main group show up that these channels are related and looking at the data shows them to be used for discussing hacking, while the other channels are innocuous.

The original channel names have been replaced by ‘cN’ to protect the guilty.

There’s an interesting Google Tech Talk by Ross Anderson on ‘Searching for Evil’ about his work on looking at how “evildoers” network and the implications this has.

http://video.google.com/videoplay?docid=-1380463341028815296

Members of the UK Honeynet Project and Honeynet Project were again attendees at the 3rd Internet Security Operations and Intelligence workshop in Washington DC this week, which provided an another excellent opportunity to catch up with other researchers and discuss the latest online threats. Press coverage.

Long time Honeynet Project members Niels Provos and Thorsten Holz’s book “Virtual Honeypots: From Botnet Tracking to Intrusion Detection” was released in the US last month but has only just become available here in the UK recently. It has picked up a number of good reviews, and we highly recommended it for a good background on honeynet technologies and their uses.

The Honeynet Project has released a new Know Your Enemy white paper on malicious websites and attacks against web browsers: “In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC”. This paper contains lots of interesting web attack related material.

http://www.honeynet.org/papers/mws/

An updated version of Honeysnap has been released, Honeysnap 1.0.6.10. If you have not upgraded in a while, we recommend you do as there has been numerous bug fixes, tweaks and updates. This latest version also includes improved support for Linux with Python 2.5.

There’s been much discussion about how to spot malicious javascript. One simple approach that spots a reasonable amount of malware is a simple ratio of the number of Javascript keywords in the code to the total length of the code. This nicely spots things like uuencoded code, although it will miss some other types of obscufation.

Expressed as a formula (*):

m’ = Sum over k of count(T, k)/len(T)

m = 1/m’ if m’ != 0

where T is the text, count(T, k) is the number of occurences of k in T and k is a set of all javascript keywords + a few common browser extensions. Higher numbers = more badness.

It’s not infallible in that it’s easy to create bad javascript that this doesn’t spot, but anything that does score highly is likely to be bad.

Sample python code (right-click and use ’save as’): js_measure.tgz

(*) Oh for latex!

Mark Ryan Talabis from the Philippine / Hawaii Honeynet Project presented today at Blackhat USA 2007 (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Talabis). His presentation titled “The Security Analytics Project: Alternatives in Analysis” covered data analysis related topics, which is an area of honeynet research where progress is still sorely lacking, and it included coverage of some of recent UK Honeynet Project activity such as GDH and Honeysnap. Slides should eventually be available online at the Blackhat website. Some press coverage of his talk can be found here.