Honeypots, Honeynets, Bots and

Botenets
Cyber security essential
Why HoneyPots
A great deal of the security profession and the IT
world depend on honeypots. Honeypots
◦ Build anti-virus signatures.
◦ Build SPAM signatures and filters.
◦ ISP’s identify compromised systems.
◦ Assist law-enforcement to track criminals.
◦ Hunt and shutdown botnets.
◦ Malware collection and analysis.
What are Honeypots
 Honeypots are real or emulated vulnerable syst
ems ready to be attacked.
 Primary value of honeypots is to collect informa
tion.
 This information is used to better identify, unde
rstand and protect against threats.
 Honeypots add little direct value to protecting y
our network.
Types of HoneyPot
 Server: Put the honeypot on the Internet and le
t the bad guys come to you.
 Client: Honeypot initiates and interacts with ser
vers
 Other: Proxies
Types of HoneyPot
 Low-interaction
◦ Emulates services, applications, and OS’s.
◦ Low risk and easy to deploy/maintain, but capture limi
ted information.

 High-interaction
◦ Real services, applications, and OS’s
◦ Capture extensive information, but high risk and time
intensive to maintain.
Types of HoneyPot
 Production
◦ Easy to use/deploy
◦ Capture limited information
◦ Mainly used by companies/corporations
◦ Placed inside production network w/other servers
◦ Usually low interaction

 Research
◦ Complex to maintain/deploy
◦ Capture extensive information
◦ Primarily used for research, military, or govt. orgs
Examples Of Honeypots

Low Interaction
 BackOfficer Friendly
 KFSensor
 Honeyd
 Honeynets

High Interaction
Honeynets
 High-interaction honeypot designed to capture i
n-depth information.
 Information has different value to different orga
nizations.
 Its an architecture you populate with live syste
ms, not a product or software.
 Any traffic entering or leaving is suspect.
How It Works
 A highly controlled network where every packe
t entering or leaving is monitored, captured, and
analyzed.
◦ Data Control
◦ Data Capture
◦ Data Analysis
Honeynet Architecture
Data Control
• Mitigate risk of honeynet being used to har
m non-honeynet systems.
• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling
No Data Control
Data Control
Data Capture
 Capture all activity at a variety of levels.
 Network activity.
 Application activity.
 System activity.
Sebek
 Hidden kernel module that captures all ho
st activity
 Dumps activity to the network.
 Attacker cannot sniff any traffic based on
magic number and dst port.
Sebek Architecture
Honeywall CDROM
 Attempt to combine all requirements of a
Honeywall onto a single, bootable CDRO
M.

 May, 2003 - Released Eeyore

 May, 2005 - Released Roo
Roo Honeywall CDROM
 Based on Fedora Core 3
 Vastly improved hardware and international su
pport.
 Automated, headless installation
 New Walleye interface for web based administra
tion and data analysis.
 Automated system updating.
Installation
 Just insert CDROM and boot, it installs to local
hard drive.
 After it reboots for the first time, it runs a hard
ening script based on NIST and CIS security sta
ndards.
 Following installation, you get a command prom
pt and system is ready to configure.
Further Information
 http://www.honeynet.org/
 http://www.honeynet.org/book
 Network Telescope
 Also known as a darknet, internet motion sens
or or black hole
 Allows one to observe different large-scale events
taking place on the Internet.
 The basic idea is to observe traffic targeting the da
rk (unused) address-space of the network.
 Since all traffic to these addresses is suspicious, on
e can gain information about possible network atta
cks
◦ random scanning worms, and DDoS backscatter
 As well as other misconfigurations by observing it.
 Honeytoken
 honeytokens are honeypots that are not comput
er systems.
 Their value lies not in their use, but in their abuse.
 As such, they are a generalization of such ideas as t
he honeypot and the canary values often used in st
ack protection schemes.
 Honeytokens can exist in almost any form,
◦ from a dead, fake account to a
◦ database entry that would only be selected by malicious queries,
◦ making the concept ideally suited to ensuring data integrity—any us
e of them is inherently suspicious if not necessarily malicious.
 Honeytoken
 In general, they don't necessarily prevent any tamp
ering with the data,
◦ but instead give the administrator a further measure of c
onfidence in the data integrity.
 An example of a honeytoken is a fake email addres
s used to track if a mailing list has been stolen
 Honeymonkey
 HoneyMonkey,
◦ short for Strider HoneyMonkey Exploit Detection
System, is a Microsoft Research honeypot.
 The implementation uses a network of computers
◦ to crawl the World Wide Web searching for websites that use brow
ser exploits to install malware on the HoneyMonkey computer.
◦ A snapshot of the memory, executables and registry of the honeypo
t computer is recorded before crawling a site.
◦ After visiting the site, the state of memory, executables, and registry
is compared to the previous snapshot.
◦ The changes are analyzed to determine whether the visited site inst
alled malware onto the honeypot computer.
 Honeymonkey
 HoneyMonkey is based on the honeypot concept,
with the difference that it actively seeks websites t
hat try to exploit it.
 The term was coined by Microsoft Research in 200
5.
 With honeymonkeys it is possible to find open sec
urity holes that aren't yet publicly known but are e
xploited by attackers.
 Tarpit
 A tarpit (also known as Teergrube, the German
word for tarpit) is a service on a computer system
(usually a server) that delays incoming connections
for as long as possible.
 The technique was developed as a defense against
a computer worm, and
 the idea is that network abuses such as spamming
or broad scanning are less effective if they take too
long.
 The name is analogous with a tar pit, in which anim
als can get bogged down and slowly sink under the
surface.
 Botnets

by
Mohammad M. Masud
 Botnets
 Introduction
 History
 How to they spread?
 What do they do?
 Why care about them?
 Detection and Prevention
 Bot
 The term 'bot' comes from 'robot'.

 In computing paradigm, 'bot' usually refers to an

automated process.

 There are good bots and bad bots.

 Example of good bots:
◦ Google bot
◦ Game bot
 Example of bad bots:
◦ Malicious software that steals information
 Botnet
 Network of compromised/bot-infect
ed machines (zombies) under the co
ntrol of a human attacker (botmaster
) Botmaster
IRC Server

IRC channel

Code
Server

IRC channel
C&C traffic

Updates

Attack

Vulnerable m
achines
BotNet
 History
 In the beginning, there were only good bots.
◦ ex: google bot, game bot etc.

 Later, bad people thought of creating bad bots so

that they may
◦ Send Spam and Phishing emails
◦ Control others pc
◦ Launch attacks to servers (DDOS)

 Many malicious bots were created

◦ SDBot/Agobot/Phatbot etc.

 Botnets started to emerge

 TimeLine
GT bots W32/Agobot bot W32/Mytob
GM (by Greg, Oper
ator)
RPCSS combined family added hybrid bot,
recognized as first I mIRC client, hac modular major
RC bot. king scripts & too design and significant e-mail outbreak
ls (port -scanning functionality
Entertained clients
, DDos)
with games

1989 1999 2000 2001 2002 2003 2004 2005 2006 Present

W32/PrettyPark W32/Sdbot W32/Spybot fa

1st worm to First family mily emerged
use IRC as of bots developed
C&C. as a single binary
DDoS capable Russian named sd
 Cases in the news
 Axel Gembe
◦ Author or Agobot (aka Gaobot, Polybot)
◦ 21 yrs old
◦ Arrested from Germany in 2004 under G
ermany’s computer Sabotage law

 Jeffry Parson
◦ Released a variation of Blaster Worm
◦ Infected 48,000 computers worldwide
◦ 18 yrs old
◦ Arrested , sentenced to 18 month & 3yrs
of supervised released
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
 Recruiting New Machines
 Exploit a vulnerability to execute a short program
(exploits) on victim’s machine
◦ Buffer overflows, email viruses, Trojans etc.
 Exploit downloads and installs actual bot
 Bot disables firewall and A/V software
 Bot locates IRC server, connects, joins
◦ Typically need DNS to find out server’s IP addre
ss
◦ Authentication password often stored in bot bin
ary
 Botmaster issues commands
Recruiting New Machines
 What Is It Used For
 Botnets are mainly used for only one t
hing
 How Are They Used
 Distributed Denial of Service (DDoS) at
tacks
 Sending Spams
 Phishing (fake websites)
 Addware (Trojan horse)
 Spyware (keylogging, information harv
esting)
 Storing pirated materials
 Example : SDBot
 Open-source Malware
 Aliases
◦ Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot
 Infection
◦ Mostly through network shares
◦ Try to connect using password guessing (exploits
weak passwords)
 Signs of Compromise
◦ SDBot copies itself to System folder - Known filena
mes: Aim95.exe, Syscfg32.exe etc..
◦ Registry entries modified
◦ Unexpected traffic : port 6667 or 7000
◦ Known IRC channels: Zxcvbnmas.i989.net etc..
 Example : RBot
 First of the Bot families to use encryption
 Aliases
◦ Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.S
pybot.worm
 Infection
◦ Network shares, exploiting weak passwords
◦ Known s/w vulnerabilities in windows (e.g.: lsass b
uffer overflow vulnerability)
 Signs of Compromise
◦ copies itself to System folder - Known filenames:
wuamgrd.exe, or random names
◦ Registry entries modified
◦ Terminate A/V processes
◦ Unexpected traffic: 113 or other open ports
 Example : Agobot
 Modular Functionality
◦ Rather than infecting a system at once, it proceeds
through three stages (3 modules)
 infect a client with the bot & open backdoor
 shut down A/V tools
 block access to A/V and security related sites
◦ After successful completion of one stage, the code
for the next stage is downloaded

 Advantage?
◦ developer can update or modify one portion/mod
ule without having to rewrite or recompile entire c
ode
 Example : Agobot
 Aliases
◦ Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.
Gaobot.gen
 Infection
◦ Network shares, password guessing
◦ P2P systems: Kazaa etc..
◦ Protocol: WASTE
 Signs of Compromise
◦ System folder: svshost.exe, sysmgr.exe etc..
◦ Registry entries modification
◦ Terminate A/V processes
◦ Modify %System\drivers\etc\hosts file
 Symantec/ Mcafee’s live update sites are redirect
ed to 127.0.0.1
 Example : Agobot
 Signs of Compromise (contd..)
◦ Theft of information: seek and steal CD key
s for popular games like “Half-Life”, “NFS”
etc..
◦ Unexpected Traffic: open ports to IRC serv
er etc..
◦ Scanning: Windows, SQL server etc..
 DDos Attack
 Goal: overwhelm victim machine and deny service t
o its legitimate clients
 DoS often exploits networking protocols
◦ Smurf: ICMP echo request to broadcast address w
ith spoofed victim’s address as source
◦ Ping of death: ICMP packets with payloads greater
than 64K crash older versions of Windows
◦ SYN flood: “open TCP connection” request from a
spoofed address
◦ UDP flood: exhaust bandwidth by sending thousa
nds of bogus UDP packets
 DDoS attack
 Coordinated attack to specified host
Attacker

Master (IRC Server) machines

Zombie machines

Victim
 Why DDoS attack?
 Extortion
◦ Take down systems until they pay
◦ Works sometimes too!
 Example: 180 Solutions – Aug 2005
◦ Botmaster used bots to distribute 180sol
utions addware
◦ 180solution shutdown botmaster
◦ Botmaster threatened to take down 180s
olutions if not paid
◦ When not paid, botmaster use DDoS
◦ 180Solutions filed Civil Lawsuit against h
ackers
 Botnet Detection
 Host Based
 Intrusion Detection Systems (IDS)
 Anomaly Detection
 IRC Nicknames
 HoneyPot and HoneyNet
 Host-based detection
Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC traffic
is suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to a
ny Command and Control (C&C) Center
Through firewall logs, denied connections
Network Intrusion Detection Syst
ems
 Example Systems: Snort and Bro
 Sniff network packets, looks for specific patterns
(called signatures)
 If any pattern matches that of a malicious binary,
then block that traffic and raise alert
 These systems can efficiently detect virus/worms
having known signatures
 Can't detect any malware whose signature is unk
nown (i.e., zero day attack)
 Anomaly Detection
Normal traffic has some patterns
Bandwidth/Port usage
Byte-level characteristics (histograms)
Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems:
Poisoning
Stealth
 IRC Nicknames
Bots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect bots &
botnets
Example nicknames:
USA|016887436 or DE|028509327
Country | Random number (9 digit)
RBOT|XP|48124
Bot type | Machine Type | Random number
Problem: May be defeated by changing the nickna
me randomly
 HoneyPot and HoneyNet
HoneyPot is a vulnerable machine, re
ady to be attacked
Example: unpatched windows 2000 o
r windows XP
Once attacked, the malware is caught
inside
The malware is analyzed, its activity i
s monitored
When it connects to the C&C server, t
he server’s identity is revealed
 HoneyPot and HoneyNet
Thus many information about the bot is obtained
C&C server address, master commands
Channel, Nickname, Password
Now Do the following
make a fake bot
join the same IRC channel with the same nickname
/password
Monitor who else are in the channel, thus observer
the botnet
Collect statistics – how many bots
Collect sensitive information – who is being attack
ed, when etc..
 HoneyPot and HoneyNet
Finally, take down the botnet
HoneyNet: a network of honeypots (see
the ‘HoneyNet Project’)
Very effective, worked in many cases
They also pose great security risk
If not maintained properly - Hacker may us
e them to attack others
Must be monitored cautiously