Dionaea

I wouldn't say I am a honeypot guru. Far from it, but I am not a complete novice either. That being said if you are replacing a product like nepenthes (which was very good IMO) the product you are replacing it with should be ready to roll.

Thanks to Andrew Waite for informing us of the Mercury-Live Honeypot DVD, because it's where I had first run dionaea. Figuring I'm not doing something right and being a hacker (the person who wants to figure things out and not the person who attacks other systems illegally) I decided to start from scratch. Could it be any more complicated?

Documentation is extremely limited. There is only a single page on the whole project. There is a blog that provides some useful information, but again very limited.

One thing I don't really care for is the requirement that dionaea be run from root. I see the reasoning behind it. Obviously binding to specific ports requires the access, but there are ways around it and with all the configuration required I would think this something to toss in there.

The requirement that Python3 be installed within the /opt/dionaea folder was another sticking point. I would think that there would be a better way to do this.

Even scripting the installation with updates would be nice. They have a complete step by step write up on the web page , but if someone took all that effort to write it up I would think it would be fairly simple to write an installation script. Not being a very good programmer I wouldn't know the first thing about doing it, but it could be done.

It would also be a nice option to allow the use of anything other than sqlite to store results.

OK, will all that basically rambled off it seems fairly stable after install. I'm going to continue to play with it and see how much it takes to break.

Honeypot experimentation

Lately I have been reading Virtual Honeypots and in the interest of education I have been using certain honeypots to gather Malware for reversing. It seems to be a fairly common practice in the Information Security community so why not.

My initial honeypot was a simple and quick installation of Kippo. The instructions where fairly clear on the website and it really takes very little to accomplish so I won't rehash that here. Andrew Waite has an excellent tutorial on installing Kippo from SVN and logging it to MySQL. Though kippo does not require MySQL to run.

With the honeypot running behind a firewall with the SSH port forwarded internally to my Linux box I started receiving login attempts within 30 minutes of activation. On average I get a brute force attempt started every hour. While most times it appears to be just a script or bot and when a command shell has been granted a scripted set of commands are run that test the shell and then logged out. Perhaps someone is just logging open ssh only with the username and password that is there.

The files that I have received thus far are:

army1.tar md5: 4ba9b19b262bd87b6af702dd6d7a3683
decoder.tar.gz md5: 1a29f818c023993baf903ebacc001da2
flood md5: e8ad571c662e01f6e942ced9859eddaa
gosh.tgz md5: d41d8cd98f00b204e9800998ecf8427e

(Since I started the post yesterday that has increased, but I'll save that for later)

Some of this isn't malware, but IRCbots. I guess someone is trying to flood a channel. Didn't work, but I'm not here to help them with it.

In a discussion to start a blog with a pretty good reverse engineer to start a blog just dedicated to the malware from my honeypot and what it does. Where it came from and who (if we know) is responsible. So once we get to that we will start posting write ups for each piece of malware we find (hopefully).

I'm still trying to learn Reversing better and this gives me an opportunity to work on some more tools/malware.

File analysis from memory

One of the things I find most helpful in the analysis of a possible hacked system is to really comb through the memory. Having direct access to the systems memory and pagefile or at least an image of the memory and a copy of the pagefile at the time is extremely helpful in investigating if a system has been compromised. With the sophistication of attacks these days it may be the only way that you can tell if the system has been compromised or is still compromised.

One thing I have found attackers to do is mount a drive or create a virtual drive, launch their attacks from there and then remove the drives. Leaving nothing for the investigator to pull off the hard disk. There may be some residual traces in the logs etc.., but does that let you find out what they did Or does it just give you an idea that something was done.

The attacker would then have their programs running on the system and unless the system was restarted, full control of whatever they were doing. How often do you restart a mission critical server? Probably no where near as much as you should.

When I do memory analysis I like to use three sets of tools: Strings/Grep, Memoryze/Audit Viewer, and Volatility.

While I'm sure most have used Strings/Grep not everyone has used Memoryze and or Volatility. While I'll go over both of the tools in a later post, I'll say that I am drifting away from Volatility and using Memoryze more. The OSes supported in Memoryze are a great deal more and it doesn't seem as if the primary developer of Volatility has done much to advance the program.

The whole point of the post though is the support of file acquisition from memory. While both programs seem to give you the ability to reconstruct the program from memory, I haven't had much success in getting the accompanying drivers with the executable in Volatility. I've also found that Memoryze works extremely well with the MRI(Malware Rating Index), but unfortunately this only works on live memory. In email exchanges with the developer (Peter Silberman) he was kind enough to explain the reasoning in terms that a moron such as myself could understand.

I'll try to break it down into Barney terms here. When the system memory is dumped you are taking a snapshot of the memory, but you are not taking the pagefile. This is critical for the rating and analysis of memory. Even if you grab the pagefile and then try to merge the two to create a better snapshot the system is constantly paging out files and back in. By the time you are done snatching the memory chunks that were paged out to point A may have moved to point R or not exist at all. So the reference is invalid. He did a much better job of explaining, to the point of even including stack references. If I tried to mimic without plagiarizing what he said, my license to use the internet would be revoked.

So while post wasn't to exciting I plan on more indepth useful information in the future. I'm working on a head to head smack down between Volatility and Memoryze. I've heard there is a bit of bad blood between the two teams, so maybe an unbiased look will help.

Who's selling APT today?

Oh the shame. I used APT in my blog. I USED A BUZZ WORD! How can I look myself in the mirror?

Who cares?

The fact is that one half of the info sec community is sick of hearing about APT and the other half is doing everything they can to sell themselves with "Advanced Persistent Threat". We have all these companies and pontificating "read my book" "super-star" security bloggers pushing their products, their services, their thoughts, their speeches, their dead-trees, etc.. etc.. etc.. Until I am tired hearing their BS as well. I mean honestly, do I need to be told to read your F'ing book every time something happens? It was written five years ago. Get new material.

What matters most is that APT is real, it may not directly impact everyone in information security, but it does impact every indirectly at least.

It doesn't matter if Google was full of crap with half their statements about what they will do to China next. It doesn't matter that APT uses off the shelf products as much as home brew and every idiotic inexperienced moron with an Anti-Virus setup will claim that the "enemy is at the gates" or inside for that matter.

No what matters is that it has peoples attention and they start treating things like they should. Even if it's for a little while it's more than what you had before. The worst it can do is make your job harder. Let's face it, if your job is harder are you not still employed? I can go down to the next ISSA meeting and find someone who will trade you positions if you feel like bitching about your job. Up to you.

There is no magic IDS system that will find APT. Even though it's claimed that you can scan all your months worth of traffic in just a few minutes, I highly doubt you will need to worry then. Most times they are not after the local software developer with 4 people on staff. The attackers will steal your stuff from a bigger source anyway.

There is no single firewall that will keep them out. You have to have holes to let stuff in and out. The attackers know how to find your holes and they know how to exploit them. If you think a firewall will save you, then you need to go back to 1998.

Your AV system will not always find them and clean them out. What if you are using the same tools? What if they popped a box that was out of the network, dumped your password and then crashed the hard drive? Would you even see the logs or malware that was left there? Then they have access to your network without using malware.

Scanning your logs alone will do nothing, but hurt your eyes. Can you identify every single login in your network? If you can then you probably are not a target. Can you identify every single time a user logs in and not a script? Can you identify every system the user has permission to log into? Do you have a single server that the user is assigned to? So if that user has to check out a file from another server, do they ask a local administrator to do it? We all know those local admins will NEVER elevate someones permissions to save time.

Then there is training. How many of your users know not to open every PDF they come across? Or how about those links that get sent in? That awesome flash video demonstrating the effectiveness of the military's new weapons? Who's responsible for checking it? Do you want that job or should we just send the link to the "super star" security guy? He will solve all your problems.

It takes an effort of all these things and more. It's going to take an investment of time, money, people and effort. It's not going to come out of reading one guys blog, book or sales material. It's going to take new innovative ideas. The bad guys are thinking up new ideas all the time. They can stockpile 0 days. If joe snuffy finds a 0 day do the higher ups shrug him off as inexperienced moron? But I'm sure some of you have blown off or intimidated some lower person in the food chain regarding an idea. Maybe they told you and you dismissed it or maybe they were to scared to tell you. Either way you may have lost out. YOU may be a "super star", but you don't know everything and he may not have read your book. Listen and learn.

No environment is the same as another, but if you are not looking at what you have and wondering how to make it more secure: just shut off your firewall, shut off your computers, and ship the harddrives to China/Russia/Korean/Where ever.

You don't have the money for gear is your excuse: you have systems already. Virtualize. Do what you have to.

You don't have money for software. BS! there is plenty of free stuff and if not there are plenty of scripting languages to learn that can help you.

You don't have the experience. How the hell did you get that job to begin with? Pick up some books, ask some friends, join some social network sites. Don't put your company info out there, but absorb everything you can.