Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypots, Honeynets, Bots and Botenets

Published byCornelia Melanie Kaufer Modified over 6 years ago

Similar presentations

Presentation on theme: "Honeypots, Honeynets, Bots and Botenets"— Presentation transcript:

1 Honeypots, Honeynets, Bots and Botenets
Source: The HoneyNet Project

2 Why HoneyPots A great deal of the security profession and the IT world depend on honeypots. Honeypots Build anti-virus signatures. Build SPAM signatures and filters. ISP’s identify compromised systems. Assist law-enforcement to track criminals. Hunt and shutdown botnets. Malware collection and analysis.

3 What are Honeypots Honeypots are real or emulated vulnerable systems ready to be attacked. Primary value of honeypots is to collect information. This information is used to better identify, understand and protect against threats. Honeypots add little direct value to protecting your network.

4 Types of HoneyPot Server: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with servers Other: Proxies

5 Types of HoneyPot Low-interaction High-interaction
Emulates services, applications, and OS’s. Low risk and easy to deploy/maintain, but capture limited information. High-interaction Real services, applications, and OS’s Capture extensive information, but high risk and time intensive to maintain.

6 Types of HoneyPot Production Research Easy to use/deploy
Capture limited information Mainly used by companies/corporations Placed inside production network w/other servers Usually low interaction Research Complex to maintain/deploy Capture extensive information Primarily used for research, military, or govt. orgs

7 Examples Of Honeypots Low Interaction High Interaction
BackOfficer Friendly KFSensor Honeyd Honeynets Low Interaction High Interaction

8 Honeynets High-interaction honeypot designed to capture in-depth information. Information has different value to different organizations. Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is suspect.

9 How It Works A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. Data Control Data Capture Data Analysis

10 Honeynet Architecture

11 Data Control Mitigate risk of honeynet being used to harm non-honeynet systems. Count outbound connections. IPS (Snort-Inline) Bandwidth Throttling

12 No Data Control

13 Data Control

14 Data Capture Capture all activity at a variety of levels.
Network activity. Application activity. System activity.

15 Sebek Hidden kernel module that captures all host activity
Dumps activity to the network. Attacker cannot sniff any traffic based on magic number and dst port.

16 Sebek Architecture

17 Honeywall CDROM Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM. May, Released Eeyore May, Released Roo

18 Roo Honeywall CDROM Based on Fedora Core 3
Vastly improved hardware and international support. Automated, headless installation New Walleye interface for web based administration and data analysis. Automated system updating.

19 Installation Just insert CDROM and boot, it installs to local hard drive. After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards. Following installation, you get a command prompt and system is ready to configure.

20 Further Information http://www.honeynet.org/

21 Network Telescope Also known as a darknet, internet motion sensor or black hole Allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks random scanning worms, and DDoS backscatter As well as other misconfigurations by observing it.

22 Honeytoken honeytokens are honeypots that are not computer systems.
Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious.

23 Honeytoken In general, they don't necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity. An example of a honeytoken is a fake address used to track if a mailing list has been stolen

24 Honeymonkey HoneyMonkey,
short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot. The implementation uses a network of computers to crawl the World Wide Web searching for websites that use browser exploits to install malware on the HoneyMonkey computer. A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot. The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.

25 Honeymonkey HoneyMonkey is based on the honeypot concept, with the difference that it actively seeks websites that try to exploit it. The term was coined by Microsoft Research in With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.

26 Tarpit A tarpit (also known as Teergrube, the German word for tarpit) is a service on a computer system (usually a server) that delays incoming connections for as long as possible. The technique was developed as a defense against a computer worm, and the idea is that network abuses such as spamming or broad scanning are less effective if they take too long. The name is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface.

27 Botnets by Mohammad M. Masud

28 Botnets Introduction History How to they spread? What do they do?
Why care about them? Detection and Prevention

29 Bot The term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually refers to an automated process. There are good bots and bad bots. Example of good bots: Google bot Game bot Example of bad bots: Malicious software that steals information

30 Botnet Network of compromised/bot- infected machines (zombies) under the control of a human attacker (botmaster) IRC Server Botmaster IRC channel Code Server Updates Vulnerable machines Attack C&C traffic BotNet

31 History In the beginning, there were only good bots.
ex: google bot, game bot etc. Later, bad people thought of creating bad bots so that they may Send Spam and Phishing s Control others pc Launch attacks to servers (DDOS) Many malicious bots were created SDBot/Agobot/Phatbot etc. Botnets started to emerge

32 TimeLine GT bots combined
mIRC client, hacking scripts & tools (port - scanning, DDos) W32/Agobot bot family added modular design and significant functionality W32/Mytob hybrid bot, major outbreak RPCSS GM (by Greg, Operator) recognized as first IRC bot. Entertained clients with games 1989 1999 2000 2001 2002 2003 2004 2005 2006 Present W32/PrettyPark 1st worm to use IRC as C&C. DDoS capable W32/Sdbot First family of bots developed as a single binary Russian named sd W32/Spybot family emerged

33 Cases in the news Axel Gembe Jeffry Parson
Author or Agobot (aka Gaobot, Polybot) 21 yrs old Arrested from Germany in 2004 under Germany’s computer Sabotage law Jeffry Parson Released a variation of Blaster Worm Infected 48,000 computers worldwide 18 yrs old Arrested , sentenced to 18 month & 3yrs of supervised released

34 How The Botnet Grows

35 How The Botnet Grows

36 How The Botnet Grows

37 How The Botnet Grows

38 Recruiting New Machines
Exploit a vulnerability to execute a short program (exploits) on victim’s machine Buffer overflows, viruses, Trojans etc. Exploit downloads and installs actual bot Bot disables firewall and A/V software Bot locates IRC server, connects, joins Typically need DNS to find out server’s IP address Authentication password often stored in bot binary Botmaster issues commands

39 Recruiting New Machines

40 What Is It Used For Botnets are mainly used for only one thing

41 How Are They Used Distributed Denial of Service (DDoS) attacks
Sending Spams Phishing (fake websites) Addware (Trojan horse) Spyware (keylogging, information harvesting) Storing pirated materials

42 Example : SDBot Open-source Malware Aliases
Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot Infection Mostly through network shares Try to connect using password guessing (exploits weak passwords) Signs of Compromise SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc.. Registry entries modified Unexpected traffic : port 6667 or 7000 Known IRC channels: Zxcvbnmas.i989.net etc..

43 Example : RBot First of the Bot families to use encryption Aliases
Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm Infection Network shares, exploiting weak passwords Known s/w vulnerabilities in windows (e.g.: lsass buffer overflow vulnerability) Signs of Compromise copies itself to System folder - Known filenames: wuamgrd.exe, or random names Registry entries modified Terminate A/V processes Unexpected traffic: 113 or other open ports

44 Example : Agobot Modular Functionality
Rather than infecting a system at once, it proceeds through three stages (3 modules) infect a client with the bot & open backdoor shut down A/V tools block access to A/V and security related sites After successful completion of one stage, the code for the next stage is downloaded Advantage? developer can update or modify one portion/module without having to rewrite or recompile entire code

45 Example : Agobot Aliases
Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen Infection Network shares, password guessing P2P systems: Kazaa etc.. Protocol: WASTE Signs of Compromise System folder: svshost.exe, sysmgr.exe etc.. Registry entries modification Terminate A/V processes Modify %System\drivers\etc\hosts file Symantec/ Mcafee’s live update sites are redirected to

46 Example : Agobot Signs of Compromise (contd..)
Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc.. Unexpected Traffic: open ports to IRC server etc.. Scanning: Windows, SQL server etc..

47 DDos Attack Goal: overwhelm victim machine and deny service to its legitimate clients DoS often exploits networking protocols Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows SYN flood: “open TCP connection” request from a spoofed address UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

48 Master (IRC Server) machines
DDoS attack Coordinated attack to specified host Attacker Master (IRC Server) machines Zombie machines Victim

49 Why DDoS attack? Extortion Example: 180 Solutions – Aug 2005
Take down systems until they pay Works sometimes too! Example: 180 Solutions – Aug 2005 Botmaster used bots to distribute 180solutions addware 180solution shutdown botmaster Botmaster threatened to take down 180solutions if not paid When not paid, botmaster use DDoS 180Solutions filed Civil Lawsuit against hackers

50 Botnet Detection Host Based Intrusion Detection Systems (IDS)
Anomaly Detection IRC Nicknames HoneyPot and HoneyNet

51 Host-based detection Virus scanning Watching for Symptoms
Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections

52 Network Intrusion Detection Systems
Example Systems: Snort and Bro Sniff network packets, looks for specific patterns (called signatures) If any pattern matches that of a malicious binary, then block that traffic and raise alert These systems can efficiently detect virus/worms having known signatures Can't detect any malware whose signature is unknown (i.e., zero day attack)

53 Anomaly Detection Normal traffic has some patterns
Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems: Poisoning Stealth

54 IRC Nicknames Bots use weird nicknames
But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames: USA| or DE| Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly

55 HoneyPot and HoneyNet HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server’s identity is revealed

56 HoneyPot and HoneyNet Thus many information about the bot is obtained
C&C server address, master commands Channel, Nickname, Password Now Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..

57 HoneyPot and HoneyNet Finally, take down the botnet
HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) Very effective, worked in many cases They also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously

Download ppt "Honeypots, Honeynets, Bots and Botenets"

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project

Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets by Mehedy Masud September 16, 2009. Botnets ● Introduction ● History ● How to they spread? ● What do they do? ● Why care about them? ● Detection.

Botnets by Mehedy Masud September 16, Botnets ● Introduction ● History ● How to they spread? ● What do they do? ● Why care about them? ● Detection.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Similar presentations

Ads by Google