Honeypots, Honeynets, Bots and Botenets - PowerPoint PPT Presentation

About This Presentation

Title:

Honeypots, Honeynets, Bots and Botenets

Description:

Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project http://www.honeynet.org/ How The Botnet Grows How The Botnet Grows How The Botnet Grows How The ... – PowerPoint PPT presentation

Number of Views:391

Avg rating:3.0/5.0

Slides: 58

Provided by: Mehe1

Learn more at: http://www.utdallas.edu

Category:

more less

Transcript and Presenter's Notes

Title: Honeypots, Honeynets, Bots and Botenets

1
Honeypots, Honeynets, Bots and Botenets

Source The HoneyNet Project http//www.honeynet.o
rg/

2
Why HoneyPots

A great deal of the security profession and the
IT world depend on honeypots. Honeypots
Build anti-virus signatures.
Build SPAM signatures and filters.
ISPs identify compromised systems.
Assist law-enforcement to track criminals.
Hunt and shutdown botnets.
Malware collection and analysis.

3
What are Honeypots

Honeypots are real or emulated vulnerable systems
ready to be attacked.
Primary value of honeypots is to collect
information.
This information is used to better identify,
understand and protect against threats.
Honeypots add little direct value to protecting
your network.

4
Types of HoneyPot

Server Put the honeypot on the Internet and let
the bad guys come to you.
Client Honeypot initiates and interacts with
servers
Other Proxies

5
Types of HoneyPot

Low-interaction
Emulates services, applications, and OSs.
Low risk and easy to deploy/maintain, but capture
limited information.
High-interaction
Real services, applications, and OSs
Capture extensive information, but high risk and
time intensive to maintain.

6
Types of HoneyPot

Production
Easy to use/deploy
Capture limited information
Mainly used by companies/corporations
Placed inside production network w/other servers
Usually low interaction
Research
Complex to maintain/deploy
Capture extensive information
Primarily used for research, military, or govt.
orgs

7
Examples Of Honeypots

BackOfficer Friendly
KFSensor
Honeyd
Honeynets

Low Interaction
High Interaction
8
Honeynets

High-interaction honeypot designed to capture
in-depth information.
Information has different value to different
organizations.
Its an architecture you populate with live
systems, not a product or software.
Any traffic entering or leaving is suspect.

9
How It Works

A highly controlled network where every packet
entering or leaving is monitored, captured, and
analyzed.
Data Control
Data Capture
Data Analysis

10
Honeynet Architecture
11
Data Control

Mitigate risk of honeynet being used to harm
non-honeynet systems.
Count outbound connections.
IPS (Snort-Inline)
Bandwidth Throttling

12
No Data Control
13
Data Control
14
Data Capture

Capture all activity at a variety of levels.
Network activity.
Application activity.
System activity.

15
Sebek

Hidden kernel module that captures all host
activity
Dumps activity to the network.
Attacker cannot sniff any traffic based on magic
number and dst port.

16
Sebek Architecture
17
Honeywall CDROM

Attempt to combine all requirements of a
Honeywall onto a single, bootable CDROM.
May, 2003 - Released Eeyore
May, 2005 - Released Roo

18
Roo Honeywall CDROM

Based on Fedora Core 3
Vastly improved hardware and international
support.
Automated, headless installation
New Walleye interface for web based
administration and data analysis.
Automated system updating.

19
Installation

Just insert CDROM and boot, it installs to local
hard drive.
After it reboots for the first time, it runs a
hardening script based on NIST and CIS security
standards.
Following installation, you get a command prompt
and system is ready to configure.

20
Further Information

http//www.honeynet.org/
http//www.honeynet.org/book

21
Network Telescope

Also known as a darknet, internet motion sensor
or black hole
Allows one to observe different large-scale
events taking place on the Internet.
The basic idea is to observe traffic targeting
the dark (unused) address-space of the network.
Since all traffic to these addresses is
suspicious, one can gain information about
possible network attacks
random scanning worms, and DDoS backscatter
As well as other misconfigurations by observing
it.

22
Honeytoken

honeytokens are honeypots that are not computer
systems.
Their value lies not in their use, but in their
abuse.
As such, they are a generalization of such ideas
as the honeypot and the canary values often used
in stack protection schemes.
Honeytokens can exist in almost any form,
from a dead, fake account to a
database entry that would only be selected by
malicious queries,
making the concept ideally suited to ensuring
data integrityany use of them is inherently
suspicious if not necessarily malicious.

23
Honeytoken

In general, they don't necessarily prevent any
tampering with the data,
but instead give the administrator a further
measure of confidence in the data integrity.
An example of a honeytoken is a fake email
address used to track if a mailing list has been
stolen

24
Honeymonkey

HoneyMonkey,
short for Strider HoneyMonkey Exploit Detection
System, is a Microsoft Research honeypot.
The implementation uses a network of computers
to crawl the World Wide Web searching for
websites that use browser exploits to install
malware on the HoneyMonkey computer.
A snapshot of the memory, executables and
registry of the honeypot computer is recorded
before crawling a site.
After visiting the site, the state of memory,
executables, and registry is compared to the
previous snapshot.
The changes are analyzed to determine whether the
visited site installed malware onto the honeypot
computer.

25
Honeymonkey

HoneyMonkey is based on the honeypot concept,
with the difference that it actively seeks
websites that try to exploit it.
The term was coined by Microsoft Research in
2005.
With honeymonkeys it is possible to find open
security holes that aren't yet publicly known but
are exploited by attackers.

26
Tarpit

A tarpit (also known as Teergrube, the German
word for tarpit) is a service on a computer
system (usually a server) that delays incoming
connections for as long as possible.
The technique was developed as a defense against
a computer worm, and
the idea is that network abuses such as spamming
or broad scanning are less effective if they take
too long.
The name is analogous with a tar pit, in which
animals can get bogged down and slowly sink under
the surface.

27
Botnets

by
Mohammad M. Masud

28
Botnets

Introduction
History
How to they spread?
What do they do?
Why care about them?
Detection and Prevention

29
Bot

The term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually refers to an
automated process.
There are good bots and bad bots.
Example of good bots
Google bot
Game bot
Example of bad bots
Malicious software that steals information

30
Botnet

Network of compromised/bot-infected machines
(zombies) under the control of a human attacker
(botmaster)

31
History

In the beginning, there were only good bots.
ex google bot, game bot etc.
Later, bad people thought of creating bad bots so
that they may
Send Spam and Phishing emails
Control others pc
Launch attacks to servers (DDOS)
Many malicious bots were created
SDBot/Agobot/Phatbot etc.
Botnets started to emerge

32
TimeLine
2006
1989
1999
2000
2002
2003
Present
2001
2004
2005
33
Cases in the news

Axel Gembe
Author or Agobot (aka Gaobot, Polybot)
21 yrs old
Arrested from Germany in 2004 under Germanys
computer Sabotage law
Jeffry Parson
Released a variation of Blaster Worm
Infected 48,000 computers worldwide
18 yrs old
Arrested , sentenced to 18 month 3yrs of
supervised released

34
How The Botnet Grows
35
How The Botnet Grows
36
How The Botnet Grows
37
How The Botnet Grows
38
Recruiting New Machines

Exploit a vulnerability to execute a short
program (exploits) on victims machine
Buffer overflows, email viruses, Trojans etc.
Exploit downloads and installs actual bot
Bot disables firewall and A/V software
Bot locates IRC server, connects, joins
Typically need DNS to find out servers IP
address
Authentication password often stored in bot
binary
Botmaster issues commands

39
Recruiting New Machines
40
What Is It Used For

Botnets are mainly used for only one thing

41
How Are They Used

Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing (fake websites)
Addware (Trojan horse)
Spyware (keylogging, information harvesting)
Storing pirated materials

42
Example SDBot

Open-source Malware
Aliases
Mcafee IRC-SDBot, Symantec Backdoor.Sdbot
Infection
Mostly through network shares
Try to connect using password guessing (exploits
weak passwords)
Signs of Compromise
SDBot copies itself to System folder - Known
filenames Aim95.exe, Syscfg32.exe etc..
Registry entries modified
Unexpected traffic port 6667 or 7000
Known IRC channels Zxcvbnmas.i989.net etc..

43
Example RBot

First of the Bot families to use encryption
Aliases
Mcafee W32/SDbot.worm.gen.g, Symantec
W32.Spybot.worm
Infection
Network shares, exploiting weak passwords
Known s/w vulnerabilities in windows (e.g. lsass
buffer overflow vulnerability)
Signs of Compromise
copies itself to System folder - Known filenames
wuamgrd.exe, or random names
Registry entries modified
Terminate A/V processes
Unexpected traffic 113 or other open ports

44
Example Agobot

Modular Functionality
Rather than infecting a system at once, it
proceeds through three stages (3 modules)
infect a client with the bot open backdoor
shut down A/V tools
block access to A/V and security related sites
After successful completion of one stage, the
code for the next stage is downloaded
Advantage?
developer can update or modify one portion/module
without having to rewrite or recompile entire
code

45
Example Agobot

Aliases
Mcafee W32/Gaobot.worm, Symantec
W32.HLLW.Gaobot.gen
Infection
Network shares, password guessing
P2P systems Kazaa etc..
Protocol WASTE
Signs of Compromise
System folder svshost.exe, sysmgr.exe etc..
Registry entries modification
Terminate A/V processes
Modify System\drivers\etc\hosts file
Symantec/ Mcafees live update sites are
redirected to 127.0.0.1

46
Example Agobot

Signs of Compromise (contd..)
Theft of information seek and steal CD keys for
popular games like Half-Life, NFS etc..
Unexpected Traffic open ports to IRC server
etc..
Scanning Windows, SQL server etc..

47
DDos Attack

Goal overwhelm victim machine and deny service
to its legitimate clients
DoS often exploits networking protocols
Smurf ICMP echo request to broadcast address
with spoofed victims address as source
Ping of death ICMP packets with payloads greater
than 64K crash older versions of Windows
SYN flood open TCP connection request from a
spoofed address
UDP flood exhaust bandwidth by sending thousands
of bogus UDP packets

48
DDoS attack

Coordinated attack to specified host

Attacker
Master (IRC Server) machines
Zombie machines
Victim
49
Why DDoS attack?

Extortion
Take down systems until they pay
Works sometimes too!
Example 180 Solutions Aug 2005
Botmaster used bots to distribute 180solutions
addware
180solution shutdown botmaster
Botmaster threatened to take down 180solutions if
not paid
When not paid, botmaster use DDoS
180Solutions filed Civil Lawsuit against hackers

50
Botnet Detection

Host Based
Intrusion Detection Systems (IDS)
Anomaly Detection
IRC Nicknames
HoneyPot and HoneyNet

51
Host-based detection

Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC traffic
is suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to any
Command and Control (CC) Center
Through firewall logs, denied connections

52
Network Intrusion Detection Systems

Example Systems Snort and Bro
Sniff network packets, looks for specific
patterns (called signatures)
If any pattern matches that of a malicious
binary, then block that traffic and raise alert
These systems can efficiently detect virus/worms
having known signatures
Can't detect any malware whose signature is
unknown (i.e., zero day attack)

53
Anomaly Detection