Presentation is loading. Please wait.

Presentation is loading. Please wait.

Acknowledgement Some contents on honeypot are from  honeynets.ppt

Published byRolf McCormick Modified over 8 years ago

Similar presentations

Presentation on theme: "Acknowledgement Some contents on honeypot are from  honeynets.ppt"— Presentation transcript:

1 Acknowledgement Some contents on honeypot are from  http://staff.washington.edu/dittrich/talks/aro- honeynets.ppt http://staff.washington.edu/dittrich/talks/aro- honeynets.ppt 1

2 2 What Is a Honeypot? Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner) Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

3 3 Example of a Simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine

4 4 Benefit of Deploying Honeypots Risk mitigation:  Lure an attacker away from the real production systems (“easy target“). IDS-like functionality:  Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions.

5 5 Benefit of Deploying Honeypots Attack analysis:  Find out reasons, and strategies why and how you are attacked.  Binary and behavior analysis of capture malicious code Evidence:  Once the attacker is identified, all data captured may be used in a legal procedure. Increased knowledge

6 6 Honeypot Classification High-interaction honeypots  A full and working OS is provided for being attacked  VMware virtual environment  Several VMware virtual hosts in one physical machine Low-interaction honeypots  Only emulate specific network services  No real interaction or OS  Honeyd Honeynet/honeyfarm  A network of honeypots

7 7 Low-Interaction Honeypots Pros:  Easy to install (simple program)  No risk (no vulnerable software to be attacked)  One machine supports hundreds of honeypots, covers hundreds of IP addresses  Can distinguish most attacks on the same port Cons:  No real interaction to be captured  Limited logging/monitor function  Hard to detect unknown attacks; hard to generate filters  Easily detectable by attackers

8 Emulation of Services 8 QUIT* ) echo -e "221 Goodbye.\r" exit 0;; SYST* ) echo -e "215 UNIX Type: L8\r" ;; HELP* ) echo -e "214-The following commands are recognized (* =>'s unimplemented).\r" echo -e " USER PORT STOR MSAM* RNTO NLST MKD CDUP\r" echo -e " PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP\r" echo -e " ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU\r" echo -e " SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE\r" echo -e " REIN* MODE MSND* REST XCWD HELP PWD MDTM\r" echo -e " QUIT RETR MSOM* RNFR LIST NOOP XPWD\r" echo -e "214 Direct comments to ftp@$domain.\r" ;; USER* )

9 9 High-Interaction Honeypots Pros:  Real OS, capture all attack traffic/actions  Can discover unknown attacks/vulnerabilites  Can capture and anlayze code behavior Cons:  Time-consuming to build/maintain  Time-consuming to analysis attack  Risk of being used as stepping stone  High computer resource requirement

10 10 Honeynet A network of honeypots High-interaction honeynet  A distributed network composing many honeypots Low-interaction honeynet  Emulate a virtual network in one physical machine  Example: honeyd

11 Gen II Honeynet 11

12 Data Control 12 Prevent a honeypot being used by attackers to attack others (legal/ethnical issues)

13 The Evolution of Malware Malware, including spyware, adware and viruses want to be hard to detect and/or hard to remove Rootkits are a fast evolving technology to achieve these goals  Cloaking technology applied to malware  Not malware by itself  Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm Rootkit history  Appeared as stealth viruses  One of the first known PC viruses, Brain, was stealth  First “rootkit” appeared on SunOS in 1994  Replacement of core system utilities (ls, ps, etc.) to hide malware processes

14 Cloaking Modern rootkits can cloak:  Processes  Services  TCP/IP ports  Files  Registry keys  User accounts Several major rootkit technologies  User-mode API filtering  Kernel-mode API filtering  Kernel-mode data structure manipulation  Process hijacking Visit www.rootkit.com for tools and informationwww.rootkit.com

15 Attack user-mode system query APIs Con: can be bypassed by going directly to kernel- mode APIs Pro: can infect unprivileged user accounts Examples: HackerDefender, Afx Taskmgr.exe Ntdll.dll Explorer.exe, Malware.exe, Winlogon.exe Rootkit Explorer.exe, Winlogon.exe user mode kernel mode User-Mode API Filtering

16 Attack kernel-mode system query APIs Cons:  Requires admin privilege to install  Difficult to write Pro: very thorough cloak Example: NT Rootkit Taskmgr.exe Ntdll.dll user mode user mode kernel mode kernel mode Rootkit Explorer.exe, Winlogon.exe Explorer.exe, Malware.exe, Winlogon.exe Kernel-Mode API Filtering

17 Also called Direct Kernel Object Manipulation (DKOM) Attacks active process data structure  Query API doesn’t see the process  Kernel still schedules process’ threads Cons:  Requires admin privilege to install  Can cause crashes  Detection already developed Pro: more advanced variations possible Example: FU Explorer.exeMalware.exeWinlogon.exe Active Processes Kernel-Mode Data Structure Manipulation

18 Hide inside a legitimate process Con: doesn’t survive reboot Pro: extremely hard to detect Example: Code Red Explorer.exe Malware Process Hijacking

19 Detecting Rootkits All cloaks have holes  Leave some APIs unfiltered  Have detectable side effects  Can’t cloak when OS is offline Rootkit detection attacks holes  Cat-and-mouse game  Several examples  Microsoft Research Strider/Ghostbuster  RKDetect  Sysinternals RootkitRevealer  F-Secure BlackLight

20 Perform a directory listing online and compare with secure alternate OS boot (see http://research.microsoft.com/rootkit/ )http://research.microsoft.com/rootkit/  Offline OS is Windows PE, ERD Commander, BartPE dir /s /ah * > dirscan.txt windiff dirscanon.txt dirscanoff.txt This won’t detect non-persistent rootkits that save to disk during shutdown Simple Rootkit Detection

21 RootkitRevealer Rootkit Windows API Raw file system, Raw Registry hive Filtered Windows API omits malware files and keys Malware files and keys are visible in raw scan RootkitRevealer RootkitRevealer (RKR) runs online RKR tries to bypass rootkit to uncover cloaked objects  All detectors listed do the same  RKR scans HKLM\Software, HKLM\System and the file system  Performs Windows API scan and compares with raw data structure scan

22 Demo HackerDefender  HackerDefender before and after view of file system  Detecting HackerDefender with RootkitRevealer

23 Unless you have specific uninstall instructions from an authoritative source: Don’t rely on “rename” functionality offered by some rootkit detectors  It might not have detected all a rootkit’s components  The rename might not be effective Reformat the system and reinstall Windows! Dealing with Rootkits

Download ppt "Acknowledgement Some contents on honeypot are from  honeynets.ppt"

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.

Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
 Meaning of spyware Spyware is a program that can be installed on computers, and which collects small pieces of information about users without their.

 Meaning of spyware Spyware is a program that can be installed on computers, and which collects small pieces of information about users without their.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2011.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2011.
Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.

Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.
Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies

Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement

Similar presentations

Ads by Google