HONEYNET PROJECT UNAM CHAPTER
Status Report 2008
1.1 Current honeynets deployed.
We're currently running 2 GenIII Honeynets with different OSs versions through not virtualized high interaction honeypots. These honeynets are based on Honeynet Project's bootable Honeywall CD ROM. Also we're running a Darknet using an architecture for network monitoring based on sguil, snort, argus, tcpflow and several other tools for data capture and analysis. Additionally we are running a Global Distributed Honeynet node in Mexico. We keep up honeypots for malware capture, every sample is shared with the MwCollect Alliance members. We're using the following infrastructure as an early warning and intrusion detection system so we can proceed with incident response and also to identify emerging threats in the Internet and hare this knowledge with the community.
- Sebek, Honeytrap, Honeywall, Nepenthes, Tcpdump scripts
- Walleye, Sguil, Honeywall scripts, Honeysnap, Structured traffic analysis scripts
: 1 Windows XP Professional, 1 Windows Vista Bussissnes ,1 GNU-Linux/Solaris/BSD System, 2 Honeytrap Honeypot
, 10 Nepenthes Honeypots
Virtual Systems: 4 Honeytrap Honeypots, 4 Nepenthes Honeypots, 2 GNU/Linux Systems , 2 Windows Systems, 1 BSD/Solaris System
Sensors: 3 GNU/Linux Systems running sguil deployed around the university network (RedUNAM)
The operating system of some honeypots changes continuosly as the patterns, vulnerabilities and identified trends on the network traffic. The average of time of this OS can be one week. Honeytrap and nepenthes honeypots have more than four public IP address each one.
2.1 Highlight any unique findings, attacks, tools, or methods.
In the past year we have identified various kinds of activity within our honeynets and darknets. We started with the development of new techniques and methods for identifying and analyzing malicious patterns in network traffic, as well as defining new trends against threats that will arise later. We have observed activity in our darknet and honeynets few hours after the first sighting by other security teams, like the exploitation attempts of the vulnerability (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) described in Microsoft's Security Bulletin MS08-067, and the worm activity reported and identified as conficker. Before we could capture the first malware sample related to it, we could identify some patterns on the network traffic such as excessive activity on TCP port 445. This has allowed us to test new techniques for malicious traffic detection, in combination with new tools developed in our organization, using perl and shell scripting.
Brute force attacks against ssh (secure shell) was the most commonly observed activity, followed by malware propagation through vulnerable Windows services (especially MS-SQL, RPC, and SMB).For the past six months, activity on some known ports has increased, specifically tcp (?) ports 1433, 1434 and 445.
Most ssh scans were made from Latin American networks and from the United States. We've been able to link some tendencies in the attempted break-ins to the automatization of tools attacking specific services previously identified as vulnerable.
2.2 Any trends seen in the past six months.
We have seen that most vulnerabilities being exploited in Windows systems were through automatic methods, without the involvement of the attacker and trying to exploit known vulnerabilities by malware updated with recent exploit code like MS08-067 in the last quarter of last year and beginning of this year. However Unix compromises needed some kind of interaction from the attacker who attempted to erase every evidence of compromise in the system, even those generated by other successful attacks.
3.0 LESSONS LEARNED
3.1 What new positive things can you share with the community, so they can replicate your success?
Honeynet technologies are one of the main methods that UNAM-CERT has for incident detection. Through these techniques we have identified several threats, including malware propagation techniques, port-scan trends and honeypot compromises so we can provide, in most cases, timely alert and assistance to our internal IT staff.
Honeynet technologies also provide tools for detect, analyze and mitigate threats like worms, botnets and malware propagation in general.
Deployment of distributed malware sensors all over our country through the work with other universities has enabled a greater range of action and detection of network problems. Patterns identified have helped to determinate intruders behavior.
3.2 What new mistakes can you share with the community, so they don't make the same mistakes?
• Once again, don't try to analyze data without a plan, it's extremely important to develop data analysis protocols before opening network traffic files in Wireshark or tcpdump.
• Use several tools for data analysis, even to get the same thing. Sometimes these tools are not capable to show the results in a proper manner. Develop and customize your own tools like scripts to automate the process of data analysis.
• Plan exactly what you need/want honeypots for. Sometimes It is not at easy as it seems to define features for a honeypot. Honeypots features depen on what you want to research.
3.3 Are there any research ideas you would like to see developed?
We would like some other tools for improving information correlation from different sources at a honeynet environment. We also would like to see more work with honeyclients, mainly at avoiding false positives more accurate results.
4.1 What tools or functionality are we lacking, what do we need to work on?
Sometimes when the data captured is sizable, the data analysis through Walleye web interface is tedious, due to limitations on the Web browser to display large amount of data during an investigation.
4.2 What new tools or technology are you working on?
We will star testing Capture-HPC using a url feeder for the Capture Server from several email drop accounts. The email addresses will be used in several sites like newsgroups and forums sites so we can feed our honeyclient with the urls included in spam email, and see the activity in these dubious sites.
Also, we have developing tools for data capture and network traffic analysis. The first goal of this tool is the identification of the specific anomalies on the network through capture files generated by tcpdump, sguil, and sensors deployed around our networks. This tool will be able show the evidence of each alert of IDS (snort) and will allow decrease de number of false positives in the alerts of IDS. The tool will be for forensic analysis and real time monitoring.
4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
It would be great to work with other honeyclients like HoneyC and MITRE's honeyclient.
5.0 PAPERS AND PRESENTATIONS
5.1 Are you working any papers to be published, such as KYE or academic papers?
We are working in a paper about honeynet techonologies collaboration at a security Telescope that is being implemented at UNAM data network. Also, we have working in a paper and howto's about intrusion detection skills and NSM tools. All these documents will be available on the main Website of UNAM Honeynet Project [www.honeynet.unam.mx].
5.2 Are you looking for any data or people to help with your papers?
It would be great to hear any experience in network telescopes (darknets) operation, any findings and mistakes you can share would be worth.
5.3 Where did you publish/present honeypot-related material?
• Malware sensors plan - Computer Security Conference 2008. Computer security national network meeting. Mexico City, 2008.
• The UNAM Honeynet Project - Computer Security National Network, 2nd Technical Forum of Metropolitan Region, Mexico City Mar. 2007 - Mexico.
• DNS, honeynets and darknets for passive network monitoring within academic networks - XII Simposium Internacional de Ingenierias en Sistemas Computacionales, - ITESM Toluca, Edo. Mexico Sept. 2006 - Mexico.
6.1 Changes in the structure of your organization.
There is a new project leader for the UNAM Honeynet Project:
Javier Santillan [email@example.com]
Full time member: Rubén Aquino Luna.
6.2 Your feedback on Alliance activities.
We couldn't assist to the last honeynet meeting. It would be great to improve our sharing in malware and botnets findings with other teams.
6.3 Any suggestions for improving the Alliance?
We could share tools and malware samples found in our logs in a common repository for further analysis.
7.1 Which of your goals did you meet for the last six months?
We have been working with some organization from Internet industry in México, mainly ISPs through Internet Asociation of Mexico (AMIPCI) in order to plan a deployment of honeynet technologies in their networks. The goal is to have a greater vision field on what is going on about malicios traffic and threats in mexican data networks.
7.2 Which of your goals did you not meet for the last six months?
The effective use of honeyclients to analyze threats that are reported to our chapter through UNAM-CERT.
7.3 Goals for the next six months
Improve our darknet using the unused address space in our network. We are planning to use both passive (as a packet vacuum) and active sensors (like honeypots) so we can get more nasty activity through it.
Colaborate in deploying honeynet technologies for the Security Network Telescope to be implemented at UNAM data network.
Consolidate plans with ISPs of Mexico in order to deploy honeynet technologies in their networks. This will allow a greater range of action for the activities of UNAM Honeynet Project. In Adition, the main Website of UNAM Honeynet Project and part of its Network infrastructure will be reestructured to improve aspects of administration and monitoring of activities.
8.0 MISC ACTIVITIES
8.1 Anything else not covered you would like to share.