Norwegian Chapter - Status Report 2008

ORGANIZATION
This year we've got one new member; Erlend Oftedal. He is working for Bekk Consulting and is maintaining his blog at http://erlend.oftedal.no/blog in addition to ours. He's an expert in web application security. Also, Christian Stigen Larsen has left our chapter. It's excellent that the Honeynet Project finally got it's own SILC server, though we would wish more of the chapters would use it.
The norwegian chapter currently consists of the following members:

  • Einar Oftedal - Chapter Lead
  • Atle Soma - Infrastructure
  • Erlend Oftedal - Web security
  • Maria Kjærand - Profiling
  • Morten Kråkvik - Malware analysis
  • Morten Rodal - Malware analysis
  • Roger Carlsen - Infrastructure
  • Sjur Eivind Usken - VoIP security
  • Tor Inge Skaar - Infrastructure
  • Øystein Fladby - Malware analysis

DEPLOYMENTS

Our current honeynet is a GenIII honeynet with Roo and various various operating systems running as honeypots on VMWare Server. Most of the honeynet is redesigned and reinstalled in the last period in a new data center with stable power and proper AC.

As we've experienced some performance issues with the roo-1.3 version of the honeywall, we've implemented our own ad-hoc solution; a dedicated server bridging the honeynet and the Internett whilst running Ubuntu 7.10 server with Daemonlogger, Snort, Barnyard, Softflowd and NfSen. This gives us an adequate overview and easy access to data going in and out of the honeynet.

We have a central nepenthes honeypot with distributed malware collectors. We are also experimenting with various high-interaction applications honeypots, like; Wordpress-honeypot and MySQL-honeypot.

In addition we've also deployed five ssh-honeypots on different ISP networks throughout Norway. These honeypots records authentication attempts only, and not what the attacker may do after gaining access. The honeypots are based on a modified OpenSSH 4.1 and do not allow any authentication to succeed. All authentication attempts are stored and forwarded to a centralized MySQL database. Currently this database holds a total of 4.2 Million attacks. The ssh-bruteforce honeynet has been running for almost one year.

RESEARCH AND DEVELOPMENT
We're currently doing research on SSH bruteforce attacks and are working on developing a honeypot specifically targeted for VoIP attacks.
 
FINDINGS
SSH Brute Force Attacks
SSH brute force attacks are happening all the time. In this period we've also observed brute force attacks using Norwegian user names, very similar to what we reported in our last status report. In the 11 months we've had our ssh-honeynet operational, we've recorded attacks from 1584 different IP-address. Attacks from 202 of these 1584 address have been seen on all five honeypots (note that these are all located on different large ISP networks throughout Norway, all with different address space allocations). The country distribution of the the 1584 addresses is shown in the graph at http://www.honeynor.no/img/2008_annual_report_SSH_attacking_cc.png

In our blog (http://www.honeynor.no/2008/07/23/size-definitely-matters/), we've got an entry about the observed length of the passwords used against our pots, and the distribution is shown in the graph: http://www.honeynor.no/img/2008_annual_report_SSH_pwlen.png

Not surprisingly, most of the attacks are targeting passwords in the range 4-8 characters. Notice the significant drop after 8 characters, this is probably due to the fact that a lot of systems still enforces an 8-character upper limit. Another reason could be related to human laziness in selecting the lowest amount of characters allowed by the policy, which in all most every case sets the lower limit to 6, 7 or 8 characters. Most policies also defines the recommended length equal to the lower limit. Restricting the length of the password to an upper limit of 6-8 characters is fortunately no longer the case for modern operating systems, but as lower limits and recommendations are still kept at this length, it will be the main target for brute force attacks.
An interesting piece of information extracted from the ssh-database is the password composition distribution as shown here: http://www.honeynor.no/img/2008_annual_report_SSH_pwstats.png

In this graph we examine the composition of each password. By 'characters' we mean alphabetic characters [a-zA-Z] and digits comprise of numbers between 0 and 9. A staggering 71.2 % of all recorded password contained only alphabetic characters! While the usual recommended passwords consisting of both alphanumeric and special characters are only seen in 4.4 % of the cases.
Malware collected
Malware collection from Nepenthes continues. Top three malwares are SDBot, PoeBot, Virut. Analysis with anti-virus scanners shows 70% detection rate (past 12 months of data). Malware submitted to Norman Sandbox on regular basis and CWSandbox on ad-hoc basis for analysis. Manual malware analysis using e.g. Olly debug and IDA.
Malicious VoIP
We have investigated several attacks targeted against VoIP equipment. At one specific corporate network here in Norway, we've experimented with a custom VoIP honeypot with sipsak (http://sipsak.org/) that answers on the first SIP INVITE.
This should trigger the attacker to continue to probe that server for any possible combinations of numbers that will allow the attacker to call onto the POTS network. We've also made some of the finding public on our blog at http://www.honeynor.no/2008/10/19/voip-attacks-are-escalating
Malicious PDF
As a result of the increasing amount of malicious PDF documents used in attacks, we constructed an extensive video (ca. 20 minutes long) showing how to analyze a malicious PDF file, extracting shellcode embedded in it, and doing further analysis on that shellcode. This video demonstration has been very well received, and is one of our top visited blog entries. It's located at http://www.honeynor.no/2008/08/24/analysing-malicious-pdf-documents-and-shellcode/
The PDF document analyzed in this video is a real malware sample trying to exploit the following vulnerabilities; CVE-2008-0655, CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0667, CVE-2008-0726, CVE-2008-2042. All vulns are related to Adobe Acrobat, read more at NVD (http://nvd.nist.gov) for more details about these vulnerabilites. IDA Pro, HT, SpiderMonkey and some small custom python scripts were used to perform this analysis.
EXE obfuscated as JPEG
Previously this year, we came across a downloader (win32.exe) that was making some effort in hiding its traffic. The downloader was making GET requests to files, such as search.jpg, winlogon.jpg, tibs.jpg and tool.jpg. Using tools like chaosreader and foremost to extract the files from the recorded pcap, we found out that these files indeed were valid jpeg files. However, when we looked more closely, we found that these files had something more interesting appended past the JPEG data. When we analyzed the superflous contents of the file, we discoved that by doing a simple XOR with the hex value of 31 on the entire image file, the result was a standard microsoft executeable (the malware). We've also seen this kind of obfuscation before, then with the image of a green frog.
Now, what winlogon.jpg (..or the executable inside it) did, was to install BraveSentry, a rogue anti-virus/spyware product that claims to have found malware on your system in order to trick you to purchase their product.
This is not a new obfuscation technique, but it seems to be a characteristic for this group of spyware creators, that are pushing these rogue security programs.
We made a blog entry about this finding, and we also created a video demonstration of how this image file was de-obfuscated using standard unix power tools (http://www.honeynor.no/2008/05/04/obfuscating-downloads/).
SIP
There has been a couple of servers doing port scan on port 5060. It is not much at the moment, but will most likely explode in the next year.
SQL-injection
We've been looking at the results of quite a few of the different SQL-injection (and XSS attacks) successfully performed against norwegian and danish servers. The attacks have several common properties:

  • injects a javascript to the attacked page
  • the script is obfuscated
  • the scripts loads several iframes and other scripts
  • the end exploits are ActiveX, .swf or .pdf attacks

The javascripts are usually pointing to a russian or chinese server. They are obfuscated in different ways. Some simply use url-encoding of the actual script combined with unescape() and eval(), while others use complex encryption functions including long encrypted strings that are decrypted by shifting parts of the string and combining parts in different ways.

The first script usually loads several different other scripts from servers, often contacted by IP. Many of these servers are probably zombies, and a lot of the servers were no longer serving any scripts (the zombies may have been cleaned out). The attackers were using scripts from several different servers, in case one of their zombies go down. So it's basically a "hacker cluster" for availability. The end scripts usually contain several different attacks. We've seen scripts trying to exploit up to ten different activeX-components, and many of the scripts use both activeX and flash (.swf) attacks.

We've written more details of some actual attacks in addition to various mitigation strategies against SQL-injection on our blog at http://www.honeynor.no/2008/11/11/looking-at-some-sql-injection-attacks/
 
PAPERS AND PRESENTATIONS
We are planning to write and publish a paper on SSH bruteforce attacks, kind of a follow-up on the Clarkson Univ. paper called "A Study of Passwords and Methods Used in Brute-Force SSH Attacks" from 2007. We don't yet have a time frame for when it might be finished, as everyone in our chapter have a full-time (and beyond) job to deal with. We have initiated some collaboration with other chapters, but a lot depends on us to actually get some available time.
We presented at a private security conference with 20 people about VoIP security. This was people from different state organizations. We also presented at the Norwegian ISF-conference. More info and slides at http://www.honeynor.no/2008/09/08/talk-about-data-analysis/
 
GOALS
Which of your goals did you meet for the last six months?
Honeynet infrastructure successfully migrated to new datacenter. We've held internal course/training on malware analysis for members on two occasions.
Which of your goals did you not meet for the last six months?
We did not participate in the GDH phase 2 as we had planned, but this is strictly our own fault. We have the necessary hardware readily available and we have the GDH DVD, but unfortunately we've not had the time to get it up and running.
Goals for the next six months
Continued focus on malware analysis, automation of collecting samples and training of team members in analysis and reverse engineering. Get infrastructure running properly in new datacentre. New deployments of honeypots, with focus on getting sebek-integrated honeypots and the first VOIP honeypot up and running. But also more high-level third-party application honeypots. Let's deploy pots for whatever is currently "hot". And finally we have to get more active in the participation of GDH.
 
MISC ACTIVITIES
Here are some lessons learned which we'd like to share:
VOIP/Asterisk works well for conferencing if all members can not participate in person on meetings.
Using a wiki-software (we use MediaWiki) makes it so much easier to gather documentation, analysis and notes from various meetings.
We've also had a big success of deploying a chapter specific blog (we currently use WordPress). Not only has this gained more attention here in Norway to our chapter and HP as an organization, but maybe more importantly it has increased the enthusiasm of the members of our chapter.
Database-ify all the data you can. It makes storing and analyzing the data so much easier.