Indian Honeynet Project : Chapter Status Report For 2011

ORGANIZATION

The Indian Honeynet Project (IHP) (www.honeynet.in) joined the Honeynet Project on July 25, 2009
Current chapter members are from all over the country and the total strength is 150. A list of chapter members is available on the website with a brief introduction about their interests. There are no fees and all activities are driven by individuals voluntarily.

DEPLOYMENTS

1. List current technologies deployed.
2. Activity timeline: Highlight attacks, compromises, and interesting information collected.

RESEARCH AND DEVELOPMENT

1.
We are currently working on enhancing the NepenthesFE tool to include:
• more static-analysis
• classification of malware families
• integration with (online/offline) dynamic malware analysis tools

We took up the front-end tool (NepenthesFE) for the nepenthes honeypot, originally developed by Emre Bastuz, and added few more modules like VirusTotal, Geoip, Afterglow and Google Maps to the framework.

In the future, we would like to setup a multi-sensor NepenthesFE, which would allow us to have a central malware collector mechanism with nepenthes sensors located across the country. The analysis would be viewable to everyone over HTTP.

2.
We are in the process of setting up an information and research center in collaboration with the upcoming Cyber Defense Research Center (CDRC) an initiative of the Indian state of Jharkhand and being set up by the state Law Enforcement Agency under the leadership of the Inspector General of Police (Economic Offences and Cybercrimes wing).

As part of the initiative, the Center will be the nodal agency for a network of NepenthesFE that will be set up across the country in different states. The findings will be analyzed and shared with research and academic institutions, law enforcement agencies and commercial organizations in the country, or overseas, based on approvals from the members.

FINDINGS

During the first phase of our nepenthes honeypot deployment, we found interesting IRC based bots. The analysis (via CWSandbox and Wireshark sniffing) showed us the domains(C&C) it was connecting to: j4m4l.kuwaitarmy.net and russia.blacktiehsbdcs.com

russia.blacktiehsbdcs.com had an unprotected XAMPP installation with the PhpMyAdmin package installed. The MySQL database contained a dump of usernames and passwords of users whose systems may have been infected by the malware binary.

Developing the NepenthesFE tool allowed us to visualize the data captured by our nepenthes honeypot. Many of the basic static analysis operations can be automated into a simple solution before storing the malware binaries into a database. The database can then be queried to generate graphs and statistics of the captured malwares.

PAPERS AND PRESENTATIONS

Honeypot and Malware Analysis
(http://www.honeynet.org.in/reports/KK_Project1.pdf )
Author: Wasim Halani
Contributor: K K Mookhey

NepenthesFE : Front-end to the Nepenthes Honeypot (http://www.honeynet.org.in/reports/NII_IHP_NepenthesFE_0.4.pdf )
Author: Harsh Patel
Contributors: Wasim Halani, K K Mookhey

Real-time Static Malware Analysis using NepenthesFE
(http://malcon.org/web/techbrief/malcon-2010-technical-briefings/)
Presented at: Malcon 2010, Mumbai
Presented by: Wasim Halani, Harsh Patel

Null Chapter Meetings – Mumbai
Topic: Honeypots and NepenthesFE

Clubhack Magazine
(http://chmag.in/article/jul2010/honeypot)
Author: Sudhanshu Chauhan

Clubhack Magazine
(http://chmag.in/article/jul2010/honeyd-track-hackers)
Author: Rakesh Mukundan

Forensic Challenge 7 – “Forensic Analysis of a Compromised System”
Winner: Deva (Dev Anand)
http://bit.ly/iqauK5

GOALS

In the previous year we intended to provide a front-end which can be integrated with our existing nepenthes honeypot. We happened to come across NepenthesFE which was not being developed anymore. We fixed the bugs in the tool and added few other modules as we saw useful.

We intend to further develop our tool NepenthesFE and release a Virtual Machine with all nepenthesfe configurations and the nepenthes honeypot integrated. This would allow others to quickly setup a low interaction honeypot within their own setups.

In the current year, the plan is to drive awareness across academic institutions using a series of interactions to mobilize membership among students and to help set up at least three labs in different states across the country.

MISC ACTIVITIES

Interactions with various academic institutions, law enforcement agencies and commercial organizations to assist them in understanding Honeynets and the contribution to security research, learning and commercial applications.