honeyTARG Chapter Status Report for 2014

ORGANIZATION

Current chapter members and their activities:

  • Cristine Hoepers, D.Sc., Chapter Lead
  • Klaus Steding-Jessen, D.Sc., Development of Data Capture and Collection Tools
  • Marcelo H. P. C. Chaves, M.Sc., Development of Data Collection and Visualization Tools
  • Dionathan Nakamura, M.Sc., Database Design and Development of Visualization Tools
  • Marcus Vinicius Lahr Giraldi, M.Sc. candidate, Malware Analysis
  • Dorgival Olavo Guedes Neto, PhD, Spam Data Mining Research
  • Wagner Meira Jr., PhD, Spam Data Mining Research

DEPLOYMENTS

honeeebox sensor

One honeeebox sensor, sending data to the hpfeeds.

Distributed Honeypots Project (since 2003)

http://honeytarg.cert.br/honeypots/
Objective: increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space.
Honeypots deployed: 55 honeypots, deployed in partnership with 47 Brazilian organizations, including: energy sector, government, telecommunications, ISPs and Universities. In 2014 we had 5 organizations joining the Project.
Tools: OpenBSD systems running Honeyd, several Honeyd listeners, plus some code developed in-house. Some of the listeners were developed in 2014 (and can be made available to Honeynet Project members upon request):

  • dlink-telnet: D-Link CPE telnet CLI listener, emulates some CLI functionalities and logs all the all sessions and brute force attempts;
  • wordpress: emulates a WordPress CMS installation and logs brute force attempts and enumerations;
  • http: HTTP listener emulating a basic Apache installation.

Results: The analysis of the data collected is made available to the public via flows and trend analysis graphics available at: http://honeytarg.cert.br/honeypots/stats/

SpamPots Project (since 2006)

http://honeytarg.cert.br/spampots/
Objective: gather data related to the abuse of the Internet infrastructure by spammers.
Honeypots deployed: 14 honeypots, deployed in 12 countries, mostly in partnership with local CERTs. In 2014 we strengthen the spam data analysis research partnership with the University of Alabama at Birmingham, hosting one honeypot in the US, and the partnership with Shadowserver Foundation, which is hosting 2 honeypots, one in the US and another in Norway.
Tools: OpenBSD systems running code developed in-house. In 2014 we concentrated on enhancing the database infrastructure, including different database query interfaces, and data visualization products available to the project partners.

RESEARCH AND DEVELOPMENT

Details about the data analysis research are in the next section, published as articles and papers.
We are cooperating in the SpamPots Project with David Watson, from the UK Chapter, and with Shadowserver. David Watson finished porting our code to Linux, and has been massively deploying it across Shadowserver spam sensors infrastructure. The data collected is used to identify the spammers origins, and to improve their blacklists.
We are donating data to National CERTs, some of them with honeynet Chapters, so they can act on the attack data collected to stop the attacks and identify infected machines.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

Academic Papers:

Title: [Best paper award] SpamBands - a methodology for the identification of spam sources acting in an orchestrated fashion (Original Title in Portuguese: SpamBands: uma metodologia para identificação de fontes de spam agindo de forma orquestrada)
Authors: Elverton Fazzion, Pedro Henrique B. Las-Casas, Osvaldo Fonseca, Dorgival Guedes, Wagner Meira Jr, Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
Conference: XIV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (14th Brazilian Symposium on Information and Computational Systems Security (SBSeg)), 2014, Belo Horizonte.
PDF: http://www.lbd.dcc.ufmg.br/colecoes/sbseg/2014/0020.pdf
Title: Neighborhoods or condominiums: an analysis of spam origin based on the organization of autonomous systems (Original Title in Portuguese: Vizinhanças ou condomínios: uma análise da origem de spams com base na organização de sistemas autônomos)
Authors: Osvaldo Fonseca, Pedro Henrique B. Las-Casas, Elverton Fazzion, Dorgival Guedes, Wagner Meira Jr, Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
Conference: XXXII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (32nd Brazilian Symposium on Computer Networks and Distributed Systems (SBRC)), 2014, Florianópolis.
PDF: http://sbrc2014.ufsc.br/anais/files/trilha/ST13-3.pdf

Community Engagements:

Marcelo Chaves and Dionathan Nakamura attended the 2014 Honeynet Project Workshop, from 12--16 May 2014, Warsaw, Poland.

Use of our data by the security community:

  • provide data feeds to National CERTs, about attacks coming from their respective constituencies;
  • provide public statistics about attack trends;
  • some data feeds provided to organizations like ShadowServer and Team Cymru, so this can be used by a broader community to detect infected/compromised systems.

FINDINGS:

We continue to see that the most attacked services are those that allow brute force attacks. SSH and SIP are still the most targeted ones, but in 2014 we have seen an increase in brute force attacks against other services as well, including Telnet, POP3, FTP, RDP, VNC and CMS services.
In 2014 we also saw an increase in the number of automated attacks against consumer connected devices. We saw frequent activity of the Synology NAS bitcoin mining malware. We also saw daily activity of malware trying to compromise D-LINK CPEs via telnet -- basically the malware tries to copy itself to the CPE using a HEX echo command via telnet and then run itself.
Regarding the abuse of the Internet infrastructure to send spam, we continue to see the abuse of SOCKs proxies, a behavior that is still prevalent and hasn't changed since we started the project in 2006.

GOALS:

2014: we reached our goal of revamping the SpamPots Project Partners website and finished the implementation of several new visualization techniques, based on different query interfaces, which was built upon an enhanced database infrastructure. Our staff got trained in Elasticsearch, a key tool for the challenges we want to face in the next year.
2015: we still need to revamp the the Distributed Honeypots Project website, and make some data from both projects publicly available. The new goal is to build an Elasticsearch cluster for the Distributed Honeypots Projects, that will be able to handle the different sources of data the sensors provide, cross-reference them, and build a data visualization project on top of it.

Groups: