Forensics Analysis of a

1
Forensics Analysis of a Compromised
Honeypot Date 27th November 2008
Location University of Glamorgan, Wales
by Anthony Keane, PhD Institute of Technology
Blanchardstown, Dublin, Ireland anthony.keane_at_itb.
ie http//www.itb.ie
2

• Overview of Presentation
• Why use Honeypots?
• Types of Honeypots
• Monitoring Honeypots
• Approaches to analysing the compromised Honeypots
• Baseline measurements
• Monitoring and logging events
• Forensics analysis
• Benefits and Drawbacks of using Honeypots

3

• Data Sample for Forensic Analysis
• Problem in getting large numbers of unique data
  sets for forensic analysis
• Problem in how challenging the data set can be
  for analysis
• Problem in getting realistic looking data sets
• Problem in collection and distribution of the
  data sets

Solution Get students to setup their own
honeypots and create their own data sets
4

• What are Honeypots?
• A Honeynet is a network that hosts computers with
  no real productive functional activity
• Any activity on the Honeynet is suspicious
• Honeypots are individual computers placed on the
  Honeynet to act as targets for malicious activity

5
Honeynet Architecture
6

• Types of Honeypots
• Low Interaction
• High Interaction
• Virtual Computers
• Servers
• MS-Windows Server 2003 and 2008
• Linux Ubuntu
• Apple Mac
• Clients
• MS-Windows XP
• Windows 2000
• Vista

7

• Harden the Honeypot
• Install up-to-date patches
• Disable all unnecessary user and admin accounts
  and setup new account with varying degrees of
  rights and password strengths
• Deactivate services to simplify operations
• Record Honeypot Baseline
• Status of services and processes, modules and
  objects, environment variables, files, programs,
  scheduled tasks, registry, disk and slack space
  and so on.
• Not perfect as normal computer activity will
  change files also.

8
Remote monitor of network traffic (roo 1.4 and
Walleye)
9
Examples of statistical data
Service Port Protocol No. of Attacks
Reserved(icmp) 0 icmp 444
microsoft-ds 445 tcp 3984
Netbios 135 tcp 349
Netbios 139 tcp 3968
http 80 tcp 722
telnet 23 tcp 16
ssh remote login 22 tcp 52
ms-sql 1434 udp 118
Unassigned 1026 udp 3883
Unassigned 1027 udp 3865
Unassigned 1028 udp 3714
10
Approach to Analysis of Attack
Detect Attack

• Three basic parts to any approach for analyzing a
  Honeypot
• take a baseline measurement of the Honeypot
  computer
• setup monitoring logging of events to alert you
  to activity on the Honeypot
• have a forensic toolkit to extract and analyse
  the hacking activity from the Honeypot.

Off-line
Live
Create Image
Monitor online activity using Wireshark / Process
Manager
Compare Baselines
Sandbox
Controlled Execution of Malware
11
Example of analysis procedure of an attack

• Honeywall The alert was an increase in outbound
  traffic
• Baseline Large number of ports had been opened
• New services were running on the system.
  urdvxc.exe
• Removed to a sandbox environment
• Once the file was executed, it immediately
  started to send out packets to an IP address
  later identified as from Estonia and also it
  opened several ports on the computer.

12

• ecxjhhks.exe was downloaded into the IIS home
  folder
• accesses the website unknowingly executed the
  file which created the urdvxc.exe file.
• Made registry entries and startup service classed
  as a Windows Service.
• In total, 181 copies were placed in many Windows
  system folders and with random variations in the
  file name. The timestamps of the files were also
  changed to reflect older files.
• How this worm file got onto the Honeypot.
• ping sweeps scanning the subnet addresses range
• followed by an increase in traffic to the two
  Honeynets with Microsoft operating systems in
  which the worm file was deposited on the server
  computer.
• Entry was gained by the hacker accessing a user
  account with a weak pwd

13
72.76.79.34 is the source of the traffic that the
worm was traced to.
14

• Forensics Procedures
• Advantages of using a Compromised Honeypot for
  analysis
• Opportunity to analyse live or dead system
• Multiple original data sets can be made
• Can control sizes of data sets
• Can use different operating systems on honeypot
• Get to use multiple analysis tools
• Realistic data sets and possibility of
  discovering something new
• Good for researching

15

• Who benefits from this approach
• Lecturers
• Access to data sets for analysis
• Combining Network Forensics with Computer
  Forensics
• Implements most of the basic classroom theory
• Students
• Interesting data sets
• Wide range of analysis tools to use
• Wide range of possible activities in setting up
  the honeypot
• Start simple and increase the complexity
• Research
• Access to new data
• Link to real-world activities of hackers
• Testing ground for new tools

16

• What students can learn
• Apply wide range of forensics skills and
  knowledge covering
• Operating systems
• Microsoft
• Linux
• Mac
• Others
• Services
• Email
• Internet browsers / servers
• Chat / RSS feeds
• Applications
• Networking protocols
• TCP/IP
• Network monitoring tools
• IDS and IPS
• Wireshark
• Tools

17
Introduction to Netwrok OSI Layer Attacks and
Tools used Learn how the hacker works and where
to look for evidence on the computer.

• A LIVE Security cdrom, based on Slackware Linux
  and the popular Auditor and Whax live cdroms
• A large number of network tools and best-of-breed
  hacking tools. Excellent wireless support and
  drivers.
• http//www.remote-exploit.org
• Version 3.0 will be in beta soon
• Works in VMWARE, Virtual PC and Parallels

Layer 2 - ARP flooding, Yersinia menu of layer
2 attacks Layer 3 - Routing protocols, Network
scanning Layer 4 - Bypassing security
policies Layer 7 - Application attacks
18

• Drawbacks from using Honeypots
• Reflects a particular type of activity on
  computers,
• i.e. intruder attack
• Activity not reflective of typical computer user
• Have un-compromised copy so before and after view
  of data set.
• Problems that can occur
• Becoming a zombie
• Spam source
• Malware Web host server

19
Thank you for listening. Any questions?