Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

Know Your Enemy: Analysis of 24 Hours Internet Attacks

03 Jan 2018
Abstract For the past decades, bots and botnets have been on the front page of newspapers and are one of the main topics of discussion in the news media. The range of the attacks and their targets have been increasing. 1 A recent example, the Mirai network - a botnet built through insecure Internet of Things (IoT) devices -, has been at the center of attention after it provoked an internet outage primarily on the East Coast.

Know Your Enemy: The Social Dynamics of Hacking

29 May 2012
Abstract Though most information security research focuses on current threats, tools, and techniques to defeat attacks, it is vital to recognize and understand the humans behind attacks. Individual attackers have various skills, motives, and social relationships that shape their actions and the resources they target. In this paper we will explore the distribution of skill in the global hacker community, the influence of on and off-line social relationships, motivations across attackers, and the near-future of threats to improve our understanding of the hacker and attacker community.

Glastopf - A dynamic, low-interaction web application honeypot

15 Nov 2010
Abstract Currently, attacks against web applications make up more than 60% of the total number of attempted attacks on the Internet. Organizations cannot afford to allow their websites be compromised, as this can result in serving malicious content to customers, or leaking customer’s data. Whether the particular web application is part of a company’s website, or a personal web page, there are certain characteristics common to all web applications. Most people trust in the reliability of web applications and they are often hosted on powerful servers with high bandwidth connections to the Internet.

Know Your Tools: Qebek - Conceal the Monitoring

03 Nov 2010
Abstract For the last few years, while low-interaction (LI) honeypot systems like Nepenthes and PHoneyC are getting more and more powerful, the progress of high-interaction (HI) honeypot technology has been somewhat slower. This is especially true for Sebek, the de-facto HI honeypot monitoring tool. In this KYT paper, we introduce Qebek, a QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers activities in HI honeypots.

Know Your Enemy: Containing Conficker

30 Mar 2009
Abstract The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented.

Know Your Enemy Lite: Proxy Threats - Socks v666

18 Aug 2008
Introduction A common assumption within the network and security community is that Network Address Translation (NAT) and filtering devices such as routers and firewalls provide protection from direct inbound attack and control. Networked systems behind devices of this type are usually assigned private (non-routable) IP addresses and may be screened from arbitrary inbound connections which prevent attackers from initiating connections to these presumed ‘protected’ network assets. To bypass this perimeter defense, attackers have depended on malware to infect the host systems and initiate an outbound connection to a command and control system, perhaps becoming part of a botnet to wait for and then execute commands.

Know Your Enemy: Malicious Web Servers

16 Aug 2008
Introduction Today, many attackers are part of organized crime with the intent to defraud their victims. Their goal is to deploy malware on a victim’s machine and to start collecting sensitive data, such as online account credentials and credit card numbers. Since attackers have a tendency to take the path of least resistance and many traditional attack paths are barred by a basic set of security measures, such as firewalls or anti-virus engines, the “black hats” are turning to easier, unprotected attack paths to place their malware onto the end user’s machine.