Welcome to the UK Honeynet ProjectThe UK Honeynet Project (a Chapter of The Honeynet Project) was founded in 2002 as a volunteer not-for-profit research organisation. Our aim is to provide information surrounding security threats and vulnerabilities active in the wild on UK networks today, to learn the tools, tactics, and motives of the blackhat community and to share these lessons learned with the public and the wider IT community. The project seeks to provide input as part of an overall honeynet community of teams researching security within IT systems around the globe.
An updated version of Honeysnap has been released, Honeysnap 1.0.6.10. If you have not upgraded in a while, we recommend you do as there has been numerous bug fixes, tweaks and updates. This latest version also includes improved support for Linux with Python 2.5.
There’s been much discussion about how to spot malicious javascript. One simple approach that spots a reasonable amount of malware is a simple ratio of the number of Javascript keywords in the code to the total length of the code. This nicely spots things like uuencoded code, although it will miss some other types of obscufation.
Expressed as a formula (*):
m’ = Sum over k of count(T, k)/len(T)
m = 1/m’ if m’ != 0
where T is the text, count(T, k) is the number of occurences of k in T and k is a set of all javascript keywords + a few common browser extensions. Higher numbers = more badness.
It’s not infallible in that it’s easy to create bad javascript that this doesn’t spot, but anything that does score highly is likely to be bad.
Sample python code (right-click and use ’save as’): js_measure.tgz
(*) Oh for latex!
Mark Ryan Talabis from the Philippine / Hawaii Honeynet Project presented today at Blackhat USA 2007 (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Talabis). His presentation titled “The Security Analytics Project: Alternatives in Analysis” covered data analysis related topics, which is an area of honeynet research where progress is still sorely lacking, and it included coverage of some of recent UK Honeynet Project activity such as GDH and Honeysnap. Slides should eventually be available online at the Blackhat website. Some press coverage of his talk can be found here.
We have been seeing an increasing amount of malicious obfuscated javascript being used in online scams, which was taking a considerable amount of human time to decode and analyse. Sometimes a quick tool can save a lot of time and effort, so we are happy to announce Decrypt JS, a very simple Python program that uses Script Monkey (the Mozilla/Firefox Javascript engine) to decode obfuscated javascript. See our tools page to download the code.
Arthur Clune presented on “Trends in Web Attacks” on behalf of the UK Honeynet Project at the 2007 Institutional Web Management Workshop, held at the University of York 16-18 July 2007. An on-line copy of Arthur’s presentation can be found here.
There has been a number of releases of new and interesting tools by members of the Honeynet Project’s and the Research Alliance over the past few weeks. In particular, the following are definitely worthy of further investigation:
HoneyC is a low interaction client honeypot / honeyclient designed emulate web clients and identify malicious servers on the web. HoneyC is developed and maintained by Christian Seifert of the NZ Chapter.
Capture-HPC is a high interaction client honeypot. A client honeypot is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. Capture-HPC is developed and maintained by Christian Seifert of the NZ Chapter.
CaptureBAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.
Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network and is it designed to sit in-line in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the German Honeynet Project.
The High Interaction Honeypot Analysis Toolkit (HIHAT) attempts to transform arbitrary PHP applications into web-based high-interaction honeypots. A typical use would be the transformation of PHPNuke, PHPMyAdmin or OSCommerce into a full functional honeypot, and HIHAT provides a graphical user interface to supports the process of monitoring the honeypot, analyzing the acquired data and generating statistics. Developed and maintained by Michael Mueter of the German Honeynet Project.
The Honeynet Project have released a new KYE white paper. KYE: Fast-Flux Service Networks describes how attackers are developing more robust and scalable networks for delivering cyber-crime, based on networks of compromises hosts with rapidly changing DNS records and layers of proxy server redirection.
Although it has been a long while coming, the Honeynet Project have finally released version 1.2 of the Roo Honeywall. This release moves the base platform to the actively maintained Fedora Core 6 OS release and adds a number of other updates, enhancements and bug fixes. Of particular interest to people running honeynets in the wild will be the default enabling of BPF filters that ensure only traffic explicitly addressed to monitored honeypots is logged.