Virtual Honeypots: From Botnet Tracking to Intrusion Detection »

Niels Provos received a Ph.D. from the University of Michigan in 2003, where he studied experimental and theoretical aspects of computer and network security. He is one of the OpenSSH creators and known for his security work on OpenBSD. He developed Honeyd, a popular open source honeypot platform; SpyBye, a client honeypot that helps web masters to detect malware on their web pages; and many other tools such as Systrace and Stegdetect. He is a member of the Honeynet Project and an active contributor to open source projects. Provos is currently employed as senior staff engineer at Google, Inc.

Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems at the University of Mannheim, Germany. He is one of the founders of the German Honeynet Project and a member of the Steering Committee of the Honeynet Research Alliance. His research interests include the practical aspects of secure systems, but he is also interested in more theoretical considerations of dependable systems. Currently, his work concentrates on bots/botnets, client honeypots, and malware in general. He regularly blogs at http://honeyblog.org.

Praise for Virtual Honeypots

"A power-packed resource of technical, insightful information that unveils the world of honeypots in front of the reader’s eyes."

—Lenny Zeltser, Information Security Practice Leader at Gemini Systems

"This is one of the must-read security books of the year."

—Cyrus Peikari, CEO, Airscanner Mobile Security, author, security warrior

"This book clearly ranks as one of the most authoritative in the field of honeypots. It is comprehensive and well written. The authors provide us with an insider’s look at virtual honeypots and even help us in setting up and understanding an otherwise very complex technology."

—Stefan Kelm, Secorvo Security Consulting

"Virtual Honeypots is the best reference for honeypots today. Security experts Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, from low-interaction honeypots to botnets and malware. If you want to learn about the latest types of honeypots, how they work, and what they can do for you, this is the resource you need."

—Lance Spitzner, Founder, Honeynet Project

"Whether gathering intelligence for research and defense, quarantining malware outbreaks within the enterprise, or tending hacker ant farms at home for fun, you’ll find many practical techniques in the black art of deception detailed in this book. Honeypot magic revealed!"

—Doug Song, Chief Security Architect, Arbor Networks

"Seeking the safest paths through the unknown sunny islands called honeypots? Trying to avoid greedy pirates catching treasures deeper and deeper beyond your ports? With this book, any reader will definitely get the right map to handle current cyber-threats.

Designed by two famous white hats, Niels Provos and Thorsten Holz, it carefully teaches everything from the concepts to practical real-life examples with virtual honeypots. The main strength of this book relies in how it covers so many uses of honeypots: improving intrusion detection systems, slowing down and following incoming attackers, catching and analyzing 0-days or malwares or botnets, and so on.

Sailing the high seas of our cyber-society or surfing the Net, from students to experts, it’s a must-read for people really aware of computer security, who would like to fight against black-hats flags with advanced modern tools like honeypots."

—Laurent Oudot, Computer Security Expert, CEA

"Provos and Holz have written the book that the bad guys don’t want you to read. This detailed and comprehensive look at honeypots provides step-by-step instructions on tripping up attackers and learning their tricks while lulling them into a false sense of security. Whether you are a practitioner, an educator, or a student, this book has a tremendous amount to offer. The underlying theory of honeypots is covered, but the majority of the text is a ‘how-to’ guide on setting up honeypots, configuring them, and getting the most out of these traps, while keeping actual systems safe. Not since the invention of the firewall has a tool as useful as this provided security specialists with an edge in the never-ending arms race to secure computer systems. Virtual Honeypots is a must-read and belongs on the bookshelf of anyone who is serious about security."

—Aviel D. Rubin, Ph.D., Computer Science Professor and Technical Director of the Information Security Institute at Johns Hopkins University, and President and Founder, Independent Security Evaluators

"An awesome coverage of modern honeypot technologies, both conceptual and practical."

—Anton Chuvakin

"Honeypots have grown from simple geek tools to key components in research and threat monitoring at major entreprises and security vendors. Thorsten and Niels comprehensive coverage of tools and techniques takes you behind the scene with real-world examples of deployment, data acquisition, and analysis."

—Nicolas Fischbach, Senior Manager, Network Engineering Security, COLT Telecom, and Founder of Sécurité.Org

Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be prohibitively complex, time-consuming, and expensive. Now, there’s a breakthrough solution. Virtual honeypots share many attributes of traditional honeypots, but you can run thousands of them on a single system-making them easier and cheaper to build, deploy, and maintain.

In this hands-on, highly accessible book, two leading honeypot pioneers systematically introduce virtual honeypot technology. One step at a time, you’ll learn exactly how to implement, configure, use, and maintain virtual honeypots in your own environment, even if you’ve never deployed a honeypot before.

You’ll learn through examples, including Honeyd, the acclaimed virtual honeypot created by coauthor Niels Provos. The authors also present multiple real-world applications for virtual honeypots, including network decoy, worm detection, spam prevention, and network simulation.

After reading this book, you will be able to

• Compare high-interaction honeypots that provide real systems and services and the low-interaction honeypots that emulate them
• Install and configure Honeyd to simulate multiple operating systems, services, and network environments
• Use virtual honeypots to capture worms, bots, and other malware
• Create high-performance "hybrid" honeypots that draw on technologies from both low- and high-interaction honeypots
• Implement client honeypots that actively seek out dangerous Internet locations
• Understand how attackers identify and circumvent honeypots
• Analyze the botnets your honeypot identifies, and the malware it captures
• Preview the future evolution of both virtual and physical honeypots

Preface     xiii
Acknowledgments     xxi
About the Authors     xxiii
Honeypot and Networking Background     1
Brief TCP/IP Introduction     1
Honeypot Background     7
High-Interaction Honeypots     9
Low-Interaction Ploneypots     10
Physical Honeypots     11
Virtual Honeypots     11
Legal Aspects     12
Tools of the Trade     13
Tcpdump     13
Wireshark     15
Nmap     16
High-Interaction Honeypots     19
Advantages and Disadvantages     20
VMware     22
Different VMware Versions     25
Virtual Network with VMware     26
Setting Up a Virtual High-Interaction Honeypot     29
Creating a Virtual Honeypot     33
Adding Additional Monitoring Software     37
Connecting the Virtual Honeypot to the Internet     39
Building a Virtual High-Interaction Honeynet     40
User-Mode Linux     41
Overview     41
Installation and Setup     42
Runtime Flags and Configuration     46
Monitoring UML-BasedHoneypots     50
Connecting the Virtual Honeypot to the Internet     51
Building a Virtual High-Interaction Honeynet     52
Argos     52
Overview     53
Installation and Setup for Argos Honeypots     54
Safeguarding Your Honeypots     62
Honeywall     63
Summary     69
Low-Interaction Honeypots     71
Advantages and Disadvantages     72
Deception Toolkit     73
LaBrea     74
Installation and Setup     75
Observations     81
Tiny Honeypot     81
Installation     82
Capture Logs     83
Session Logs     85
NetfilterLogs     85
Observations     86
GHH - Google Hack Honeypot     87
General Installation     87
Installing the Transparent Link     91
Access Logging     92
PHP-HoP - A Web-Based Deception Framework     94
Installation     95
HipHop     96
PhpMyAdmin     97
Securing Your Low-Interaction Honeypots     98
Chroot Jail     98
Systrace      101
Summary     103
Honeyd - The Basics     105
Overview     106
Features     107
Installation and Setup     108
Design Overview     109
Interaction Only via the Network     111
Multiple IP Addresses     111
Deceiving Fingerprinting Tools     111
Receiving Network Data     112
Runtime Flags     114
Configuration     115
Create     117
Set     117
Add     121
Bind     123
Delete     124
Include     125
Experiments with Honeyd     125
Experimenting with Honeyd Locally     125
Integrating Virtual Honeypots into Production Networks     128
Services     129
Logging     131
Packet-Level Logging     131
Service-Level Logging     133
Summary     134
Honeyd - Advanced Topics     135
Advanced Configuration     136
Set     136
Tarpit     137
Annotate     138
Emulating Services     139
Scripting Languages      139
SMTP     139
Subsystems     142
Optimizing Subsystems     145
Internal Python Services     146
Dynamic Templates     148
Routing Topology     150
Honeydstats     154
Honeydctl     156
Honeycomb     158
Performance     160
Summary     161
Collecting Malware with Honeypots     163
A Primer on Malicious Software     164
Nepenthes - A Honeypot Solution to Collect Malware     165
Architecture of Nepenthes     167
Limitations     176
Installation and Setup     177
Configuration     179
Command Line Flags     181
Assigning Multiple IP Addresses     183
Flexible Deployment     185
Capturing New Exploits     186
Implementing Vulnerability Modules     187
Results     188
Lessons Learned     196
Honeytrap     197
Overview     197
Installation and Configuration     200
Running Honeytrap     203
Other Honeypot Solutions for Learning About Malware      204
Muliipot     204
HoneyBOT     205
Billy Goat     205
Learning About Malicious Network Traffic     206
Summary     207
Hybrid Systems     209
Collapsar     211
Potemkin     214
RoiePlayer     220
Research Summary     224
Building Your Own Hybrid Honeypot System     224
NAT and High-Interaction Honeypots     224
Honeyd and High-Interaction Honeypot     228
Summary     230
Client Honeypots     231
Learning More About CHent-Side Threats     232
A Closer Look at MS04-040     233
Other Types of Client-Side Attacks     236
Toward Client Honeypots     238
Low-Interaction Client Honeypots     241
Learning About Malicious Websites     241
HoneyC     246
High-Interaction Client Honeypots     253
Design of High-Interacrion Client Honeypots     254
HoneyClient     258
Capture-HPC     260
HoneyMonkey     262
Other Approaches     263
Studying Spyware on the Internet     264
SpyBye      267
SiteAdvisor     270
Further Research     271
Summary     272
Detecting Honeypots     273
Detecting Low-Interaction Honeypots     274
Detecting High-Interaction Honeypots     280
Detecting and Disabling Sebek     281
Detecting the Honeywall     285
Circumventing Honeynet Logging     286
VMware and Other Virtual Machines     289
QEMU     297
User-Mode Linux     298
Detecting Rootkits     302
Summary     305
Case Studies     307
Blast-o-Mat: Using Nepenthes to Detect Infected Clients     308
Motivation     309
Nepenthes as Part of an Intrusion Detection System     311
Mitigation of Infected Systems     312
A Modern Trojan: Haxdoor     316
Lessons Learned with Blast-o-Mat     320
Lightweight IDS Based on Nepenthes     321
SURFnetIDS     325
Search Worms     327
Red Hat S.O Compromise     332
Attack Summary     334
Attack Timeline     335
Tools Involved     338
Attack Evaluation     343
Windows 2000 Compromise     343
Attack Summary     344
Attack Timeline     345
Tools Involved     347
Attack Evaluation     350
SUSE 9.1 Compromise     351
Attack Summary     351
Attack Timeline     352
Tools Involved     354
Attack Evaluation     356
Summary     357
Tracking Botnet     359
Bot and Botnet 1O1     360
Examples of Bots     362
Spywarein the Form of Bots     366
Botnet Control Structure     369
DDoS Attacks Caused by Botnets     372
Tracking Botnets     373
Observing Botnets     375
Case Studies     376
Mocbot and MS06-040     381
Other Observations     384
Defending Against Bots     387
Summary     390
Analyzing Malware with CWSandbox     391
CWSandbox Overview     392
Behavior-Based Malware Analysis     394
Code Analysis     394
Behavior Analysis     395
API Hooking     396
Code Injection     400
CWSandbox - System Description      401
Architecture     402
Results     405
Example Analysis Report     406
Large-Scale Analysis     411
Summary     413
Bibliography     415
Index     423