UK Honeynet Project 

Members of the UK Honeynet Project and Honeynet Project were again attendees at the 3rd Internet Security Operations and Intelligence workshop in Washington DC this week, which provided an another excellent opportunity to catch up with other researchers and discuss the latest online threats. Press coverage.

Long time Honeynet Project members Niels Provos and Thorsten Holz’s book “Virtual Honeypots: From Botnet Tracking to Intrusion Detection” was released in the US last month but has only just become available here in the UK recently. It has picked up a number of good reviews, and we highly recommended it for a good background on honeynet technologies and their uses.

The Honeynet Project has released a new Know Your Enemy white paper on malicious websites and attacks against web browsers: “In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC”. This paper contains lots of interesting web attack related material.

http://www.honeynet.org/papers/mws/

An updated version of Honeysnap has been released, Honeysnap 1.0.6.10. If you have not upgraded in a while, we recommend you do as there has been numerous bug fixes, tweaks and updates. This latest version also includes improved support for Linux with Python 2.5.

There’s been much discussion about how to spot malicious javascript. One simple approach that spots a reasonable amount of malware is a simple ratio of the number of Javascript keywords in the code to the total length of the code. This nicely spots things like uuencoded code, although it will miss some other types of obscufation.

Expressed as a formula (*):

m’ = Sum over k of count(T, k)/len(T)

m = 1/m’ if m’ != 0

where T is the text, count(T, k) is the number of occurences of k in T and k is a set of all javascript keywords + a few common browser extensions. Higher numbers = more badness.

It’s not infallible in that it’s easy to create bad javascript that this doesn’t spot, but anything that does score highly is likely to be bad.

Sample python code (right-click and use ‘save as’): js_measure.tgz

(*) Oh for latex!

Mark Ryan Talabis from the Philippine / Hawaii Honeynet Project presented today at Blackhat USA 2007 (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Talabis). His presentation titled “The Security Analytics Project: Alternatives in Analysis” covered data analysis related topics, which is an area of honeynet research where progress is still sorely lacking, and it included coverage of some of recent UK Honeynet Project activity such as GDH and Honeysnap. Slides should eventually be available online at the Blackhat website. Some press coverage of his talk can be found here.

We have been seeing an increasing amount of malicious obfuscated javascript being used in online scams, which was taking a considerable amount of human time to decode and analyse. Sometimes a quick tool can save a lot of time and effort, so we are happy to announce Decrypt JS, a very simple Python program that uses Script Monkey (the Mozilla/Firefox Javascript engine) to decode obfuscated javascript. See our tools page to download the code.

Arthur Clune presented on “Trends in Web Attacks” on behalf of the UK Honeynet Project at the 2007 Institutional Web Management Workshop, held at the University of York 16-18 July 2007. An on-line copy of Arthur’s presentation can be found here.