The Honeynet Project

Monday, February 1st, the submission deadline for challenge 1 of the Forensic Challenge 2010 has passed. We have received 88 submissions and Tillmann who has been judging them mentioned there were some excellent submissions in the mix. Tillmann will be highlighting some answers when we announce the results on the 15th of February. I have acknowledged receipt of each submission received via email. If you have not received a confirmation mail from me, please contact me at forensicchallenge2010@honeynet.org and I will check whether we have received it. Christian

Glastopf: On January the 22nd I met Sven. Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf. During his work he will rewrite the current Glastopf unstable version, but when he will be finished the new version will have at least the same features like the previous version. The goals are: A much better modular structure, this means there is one core which directs every request to the modules. They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker. There will be a much better classification of incoming attacks and the rules used for this will be totally detached from the source code to distribute them easily between different sensors. I will post some details as soon as we started the work. This also means that we will freeze the current unstable version to put all effort into the new version.

• Chicago Chapter

We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

Forensic Challenge 2010 Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.

Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:

A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.

It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.

The first challenge (of several for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details...

Christian Seifert

Chief Communications Officer
The Honeynet Project

Folks, I would like to inform you all about our recent activities that we are attempting to achieve. First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary). We will use the blog for posting about our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)

• Italian Chapter

There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

Here are some potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

Financial gain

Political

Religious

Reputation and ego of the hacker

Intellectual Property theft, Trade Secrets

Espionage

Retribution, commercial or personal

Vandalist, miscreant activity (bored youth..)

I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

Cheap overseas calls / calling cards.
One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
Here is a brief overview of a simple version of the scam:

The crook controls a hacked VOIP system in (say) Australia. This means that they can accept and redirect calls, and essentially control every aspect of that phone system.

The crook sells 'calling cards' to citizens of another country that live in, or are visiting Australia. The card allows them to call home at ridiculously cheap rates, a tiny fraction of the cost of a legitimate overseas call.

The buyer of the calling card is instructed to call a local (probably legitimate) number in Australia and then enter in the international number they are trying to reach. The crook then reroutes these calls through VOIP to the hacked system, which then makes the international call. This functionality could potentially be turned off periodically to evade being uncovered, and could even be configured to only use the hacked VOIP server for calls to a specific set of countries.

The buyer of the calling card of course could not be aware that the call was routed through a hacked VOIP system, they are just happy to have spoken to family and friends at a cheap rate.

Note also that it is entirely possible for the calls to be re-routed through an entire chain of hacked VOIP servers in more 2 or 3 different countries, effectively 'laundering the call' by making it harder to track down if an investigation is ever launched. Jurisdictional/timezone/culture and language differences are some of the most challenging hurdles faced by cybercrime investigators, and the crooks know how to take advantage of this (I aim to explore these aspects in a later instalment of this blog series)

The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

Premium rate number calling
This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

The scam is fairly simple.

Crook has control of hacked VOIP system(s) for which the victim gets bills for on a monthly basis. This VOIP system may belong to a corporate entity, and so may be capable of making many concurrent calls.

The crook has a premium rate 1900 number, for which they collect revenue on a weekly or daily basis.

Crook gets the hacked VOIP system to make multiple, repeated calls to the 1900 number, thus adding to the account of the 1900 number, at the expense of the owner of the hacked VOIP system.

Crook collects the revenue from the 1900 number every day/week until someone notices.

In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

Future threat – Denial of Service
The motive behind this attack could probably be any of the ones listed above.
I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
This area needs much more research and consideration from authorities much better funded and capable than us, and yes we are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at ben@honeynet.org.au with any feedback, or input into the next one.

Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

Paper Abstract
Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is difficult to identify with traditional analysis methods.

In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.

Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz..

• French Chapter

Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

• Giraffe Chapter

Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.