Home
Pi1 - Lehrstuhl Praktische Informatik I
Laboratory for Dependable Distributed Systems
University of Mannheim
Login

Research
Projects
Fast-Flux
Honeynet
Forensig2
TrustedPals
Theses
Teaching
Current Courses
Ausgewaehlte Aspekte bei der Erkennung von Angriffen und Betrug
Doktorandenseminar
Forensische Informatik
Principles of dependable distributed systems
Software Reverse Enginering
Teleseminar
Wirtschaftsinformatik I
Course Archives
Multimedia
Multimedia from Aachen
Reach Out
Publications
Presentations
Partners
General
Staff
How to reach us
Pi1 News Mailing List
FAQ
Administration
Home






German Honeynet Project - Honeynet research at the Laboratory for Dependable Distributed Systems


Honeypots are electronic bait, i.e. network resources (computers, routers, switches, etc.) deployed to be probed, attacked, and compromised. Honeypots run special software which permanently collects data about the system and greatly aids in post-incident computer and network forensics. Several honeypots can be assembled into networks of honeypots called honeynets. Because of the wealth of data collected through them, honeynets are considered a useful tool to learn more about attack patterns and attacker behavior in real networks.

The German Honeynet Project works in close relation with the Laboratory for Dependable Distributed Systems at the University of Mannheim. One of the main focuses of the German Honeynet Project is bringing Honeynet research to a solid scientific foundation and assessing the value of honeynet technology as a research tool.

The following pages explain the motivation for using the honeynet methodology and describes experiences with a honeynet at RWTH Aachen University and the University of Mannheim. In analyzing the data collected through our experiment, we discuss the value of honeynets for computer vulnerability assessment. We also give an overview over ethical and legal aspects of honeypots and a look on possible directions for further research.


Botnet Tracking

Our current work focuses on bots and botnets. More information can be found at a separate webpage that deals with observing of botnets

Presentations & Publications

Several presentations about honeypots and different aspects of our work were held by different members of the German Honeynet Project. An overview can be found at the Presentations website In addition, we publish our research at different workshops and conferences. An overview can be found at the Publications website.

Status Report 2007

German Honeynet Project Status Report May 2007

Period April 2006 - April 2007

1) DEPLOYEMENTS

Current technologies deployed.

  • GHPA - German University
    Data Control and Capture 
        Honeywall Roo
        Sebek and other data-analysis tools

    Data Analysis 
        Roo web interface    
        self-made analysis script + email alerting 

    Honeypots 
        Varying kinds of honeypots, commonly 2-4 honeypots running different versions of Linux and / or Windows

We have several honeypots up and running. Due to the fact that we test new setups frequently, our honeynet changes quite often. These honeypots are virtual honeypots running in VMWare or physical honeypots running on real machines.

  • GHPB - German University

We have a /17 (now /18) network for nepenthes.

  • GHPC - diverse locations

Several nepenthes sensors in diverse locations at several ISPs

  • GHPD - German University

One sensor for Leurré.com project, an international distributed network of honeypots to analyse suspicious activity.

  • GHPE - somewhere

Currently we run one honeypot for the POS-related research and a second sensor is in the setup phase.

  • GHPF - German university

We run several honeypots that help us to learn more about malicious websites. This are on the one hand web-decoys (developed by Michael Müter as part of his thesis) and on the other hand different kinds of honeyclients. The honeyclients are either low-interaction (developed by Ali Ikinci as part of his thesis) or high-interaction (as developd by Bing Yuan as part of his thesis).

Activity timeline: Highlight attacks, compromises, and interesting information collected

  • SSH brute force attack

    We had several successful compromises via SSH brute force scanning. The attacker downloaded several tools, including SucKIT and several SSH brute force scanners. Furthermore, we had several compromises due to vulnerable web-applications or insecure default installations.

  • Malware collection

    We collected more than 35,000 unique malware binaries with the help of nepenthes. The tool proofed to be useful and several other teams (also many non-honeynet related organizations) now use nepenthes on a daily basis. The collected malware typically consist of different kinds of bots, but we also collect other kinds of autonomous spreading malware.

  • Botnet tracking

    With the help of CWSandbox, we can automatically generate a behavior-based analysis report of the malware collected via nepenthes. The information about botnets is then fed into botspy, a tool designed to track different kinds of botnets. Currently our database has information about more than 1,400 botnets.

  • Web-based attacks

    Our honeyclients and web-decoys collect information about different kinds of web-related attacks. For example, we can find malware binaries available on the WWW, drive-by downloads that exploit a web browser, or similar information.

2) FINDINGS

Highlight any unique findings, attacks, tools, or methods.

  • As noted in 1.2, we have collected more than 35,000 unique malware binaries. We are currently working on an automated clustering approach in order to estimate the number of unique malware families.
  • We retrieved several tools from successful compromises, most of them common SSH brute force scanners, username/password lists and rootkits. Furthermore, we also collected several tools used by attackers after a compromise of a Windows machine.
  • We did some further research in the area of phishing and were able to retrieve many phishing kits and related tools.
  • With web-based decoys and honeyclients, we were able to collect some automated tools used in attacks against web applications. Examples include PHP backdoors or drive-by download attempts. Furthermore, we could observe how attackers use search engines in order to directly attack vulnerable versions of web applications.
  • We were involved in initial research in the area of Point-of-Sale (POS) honeypots. More information pending…

Any trends seen in the past six months;

  • Honeypots seem to last longer until they are attacked.
  • Malicious network traffic on TCP port 445 is still huge, we had several million downloads of malware binaries on our nepenthes sensors.

What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed?

  • Standard forensic tools: tcpdump, (t)ethereal, tcprelay, chaoreader, etc plus Sebek + Walleye. We also use some self-made scripts that automate tasks of Data Analysis. More correlation of collected data would be nice, but the current versions are already very helpful. Honeysnap looks promising, we just need to use it on a more daily basis :-)
  • For the analysis of the collected malware binaries, we use common AV engines and CWSandbox which helps us in dynamic analysis. The behavior-based analysis reports offer us a good overview of what a given binary does and complements the scan results of AV engines.
  • The data collected within the Leurre project were used to carry out a larger correlation. The goal was to find some patterns within this data set that could be useful for other purposes. For this we used some custom scripts.

3) LESSONS LEARNED

What new positive things can you share with the community, so they can replicate your success?

  • We enjoyed working with other members of the Research Alliance (especially with the UK Honeynet Project and several members of the Honeynet Project) in order to share technical stuff and ideas. Thanks a lot to all other members of the Research Alliance / Honeynet Project that gave us feedback on our work!
  • New members bring in many new ideas.
  • Running honeynets is fun and you can learn quite much with them. They prove to be a valuable tool for Information Assurance.

Mistakes to share with the community

  • Keep detailed records of what you deployed, why, what happened to it, and when.
  • Plan how to respond to an incident before one happens for real.
  • Throughout testing of the whole setup before you go live – things that can go wrong will go wrong :-)
  • Roo is easy to setup and maintain. You just need a decent computer since more RAM and CPU means faster processing. And keep a backup of your config - presumably you need to reset the Honeywall from time to time...

New research ideas

  • We are involved in POS honeypots, more information to be published soon.
  • Web-based decoys are quite interesting. Projects like honeyclient.org, PHPHoP, Google Hack Honeypots, Capture-HPC and HoneyC are developing interesting tools. We also have several tools in this area and develop them further.
  • Explore how honynets can be used as an additional component within an IDS infrastructure. We are experimenting with nepenthes in this area and first results are convincing.

4.) NEW TOOLS

What new tools or technology are you working on?

  • libemu

    Since nobody wanted to share the code for shellcode analysis, we wrote our own little x86 CPU emulation, and as reinventing existing wheels is really boring, we threw in API hooking for shellcodes run on our own CPU emulation. The project is called libemu and the plan is to provide a CPU & memory emulation as C library for use in honeypots or IDS systems as Snort, as you might guess, we are not done yet. What is working so far is: detecting the GetPC code, emulating shellcodes on the CPU, hooking calls to windows DLLs. We are missing the backwards traversal to detect required instructions infront of the GetPC, but we are working on it.

    This tool is developed by Paul Bächer and Markus Kötter. Same graphs which show preliminary results are available at nepenthes.mwcollect.org

  • honeytrap

    Honeytrap is a network security tool written to observe attacks against network services. As a low-interactive honeypot, it collects information regarding known or unknown network-based attacks and thus can provide early-warning information. The applied model strictly distinguishes between data capture and attack analysis. The process of collecting information related to attacks is completely done within the core system. Further processing like automated analysis can be done with plugins which can be loaded dynamically during runtime. This guarantees expandability without the need of shutting down or even recompile the software.

    This tool is developed by Tillmann Werner. More information is available at honeytrap.mwcollect.org

  • nepenthes / mwcollect – “Collecting malware in non-native environments”

    The main idea behind nepenthes is emulation of vulnerable services. Instead of deploying a high-interaction honeypot with vulnerable services that can be exploited by autonomous spreading malware, this program emulates the services. On the one hand, this reduces the risk of running a honeynet. Since nepenthes does not run a vulnerable service, an attacker can not fully compromise the honeypot. The attacking process will interactt with an emulation and thus we mitigate the risk involved. Once we have downloaded a piece of malware, it is stored on the hard disk and never executed. So the honeypot is never infected with malware – something impossible with a high-interaction honeypot. On the other hand, this approach leads to better scalability: we were able to run several thousand honeypots on just one physical machine. Honeytrap can now submit to the mwcollect alliance and there is a plugin for locality sensitive hashing, in order to detect attacks generically in real-time.

    More information is available at http://nepenthes.mwcollect.org

  • mwcollect Alliance

    The idea behind this project is to establised a trusted community which aims at collecting malware. Every participant contributes data (e.g., malware collected with the help of nepenthes) and has then access to all data contributed by others. The central repository is now up and running and we have about 100 participants. More information is available at https://alliance.mwcollect.org. Georg re-wrote the backend (PostreSQL database and Python + Apache2 based submission server) and began to work on a new web-interface.

  • Advanced Honeynet-based Intrusion Detection

    The goal of this project is to build a distributed Intrusion Detection System (IDS) based on nepenthes and Blast-O-Mat. The system is capable of efficiently detecting offending hosts within the campus network and block network access of these machines. Moreover, it includes an alerting mechanism and a way to download patches to the blocked machines.

  • Automatic Behavior Analysis of Malware – CWSandbox

    The goal of this project is to build a sandbox similar to the Sandbox by Norman that enables an easy and flexible way to quickly analyze a given binary. This analysis is dynamic, in contrast to static analysis with a debugger/disassembler. The resulting tool is capable of analyzing a given binary during runtime and monitor the behaviour of it. Since most of the binaries will be bots or other kinds of malware, the focus lies in the extraction of sensitive information regarding the central Command & Control server used in botnets.

    This research is carried out by Carsten Willems.

  • pehunter

    Tillmann Werner developed a Snort pre-processor in order to extract PE files from a network stream. The code is available at https://svn.mwcollect.org/pehunter.

  • Client-side Honeypots

    We have developed several tools in this area: web-decoys by Michael Müter (to be released soon), a high-interaction honeyclient (developed by Bing Yuan) and a low-interaction honeyclient (to be released soon). These tools help in learning more about attacks in the web.

  • Point-of-Sale Honeypots (in cooperation with several members of the Honeynet Project, the UK Honeynet Project, and some other people)
  • Several other projects are currently in development, e.g., a better integration of nepenthes, CWSandbox, and botspy, a better visualization of the collected data, an emulation environment for malware analysis, or using API-hooking for intrusion detection. More information about these projects and a regular update is available at the diploma thesis web site.

Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?

  • Eventually an integration of nepenthes with the Honeywall makes sense. We had some discussions about this and wait until the next Honeywall with distributed capabilities is published.
  • If other people are interested in publishing papers together with us, please send us an e-mail.

5) PAPERS AND PRESENTATIONS

Are you working any papers to be published, such as KYE or academic papers?

  • Several people are working on a KYE paper on dynamic services and shellcode detection via emulation.
  • In addition, we are working on several academic papers with honeynet-related content. This is steadily changing, so please contact us if you want more information.

Are you looking for any data or people to help with your papers?

  • If somebody has interesting data feeds (malware captures, tcpdumps, ...) we are happy to collect and analyze them. With the mwcollect Alliance we already have an infrastructure for malware capture. For more information on this, please contact Georg Wicherski.

Where did you present honeypot-related material? (selected publications)

  • Markus Koetter: “How does nepenthes work”, 5th International GOVCERT.NL Symposium, September 2006, The Hague
  • Thorsten Holz: “Honeypots, Bots & Botnets, and Automated Malware Analysis”, 5th International GOVCERT.NL Symposium, September 2006, The Hague
  • Carsten Willems: “Getting More out of Sandbox Technology: Automated Analysis of Malware & Bots", Internet Security Operations and Intelligence (ISOTF) workshop, August 2006
  • Georg Wicherski and Thorsten Holz: “Catching Malware to Detect, Track and Mitigate Botnets", Black Hat Japan, November 2006
  • Georg Wicherski: “Automated Botnet Detection and Mitigation", CCC, December 2006
  • Georg Wicherski: “Automated Botnet Detection and Mitigation", National IT and E-Security Summit (NITES), Dublin, 2006
  • Tillmann Werner: “honeytrap: Ein Meta-Honeypot zur Identifikation und Analyse neuer Angriffstechniken", 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", February 2007
  • Jan Göbel: “Der Blast-o-Mat", DFN Betriebstagung, February 2007
  • Carsten Willems: “CWSandbox", a-i3/BSI Symposium, April 2007
  • Thorsten Holz: “Advanced Honeypot Tactics”, Dojo course at EUSecWest, CanSecWest and PacSec
  • Niels Provos and Thorsten Holz: “Virtual Honeypots”, Addison-Wesley Professional; 1 edition (July 20, 2007)
  • Thorsten Holz: presentations regarding honeypots, bots/botnets, nepenthes, malware, and other topics at TNC'06, ISF, SyScan'06, Hack in the Box 2006, and IT-Defense 2007.

6) ORGANIZATIONAL

Changes in the structure of your organization.

  • We had several new members in the last period, bringing in new and fresh ideas. New students joined the German Honeynet Project and we will also have some more industry contacts soon.

Your feedback on Alliance activities.

  • The Annual GetTogether was great and we really enjoyed to work and have fun together with the UK and Norwegian Honeynet Projects and the members of the Honeynet Project.
  • Similar, all other meetings turned out to be very productive and fun. More of those smaller meetings could be very valuable in the future. Several members had a local get-together in Aachen in March 2007. This was very productive and very funny.

Any suggestions for improving the Alliance?

  • We already discussed several issues with Lance.

7) GOALS

Which of your goals did you meet for the last six months?

  • Establishing cooperation with various German CERTs and Internet Service Providers (ISPs).
  • Increase the number of honeypots deployed, consisting in different Operating Systems and services.
  • Develop the tools further, especially in the area of botnet tracking, collecting malware and automated analyzis of malware, and web-related honeypots

Which of your goals did you not meet for the last six months?

  • SotM challenge is still not published and we need to discuss some more details
  • Organize and host a European Honeynet Workshop. Has been postponed, but hopefully we can eventually organize such an event (perhaps in cooperation with Honeynor).

Goals for the next six months

  • Make more time for honeynet research and other activity.
  • Bring in a couple of additional core team members.
  • Begin fundraising and seeking external sponsorship.

8) MISC ACTIVITIES

  • Contribution in proposal together with SWRI.
Bi-annual status report

Older bi-annual status reports are currently not available, we work on recovering them...

Participants

Participants in our project include:

  • Thorsten Holz (thorsten.holz@informatik.uni-mannheim.de)
  • Maximillian Dornseif (dornseif@informatik.uni-mannheim.de)
  • Felix Freiling
  • Christian Klein
  • Sven Müller
  • Sebastian Reitenbach
  • Carsten Willems
  • Jan Göbel (goebel@informatik.uni-mannheim.de)
  • Ali Ikinci
  • Bing Yuan
  • Claus Overbeck
  • Sebastian Gorecki
  • Laura Itzel
  • And several other persons


Print-Version