Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos; Thorsten Holz Publisher: Addison Wesley Professional Pub Date: July 16, 2007 Print ISBN-10: 0-321-33632-1 Print ISBN-13: 978-0-321-33632-3 Pages: 480 Table of Contents | Index Overview Praise for Virtual Honeypots "A power-packed resource of technical, insightful information that unveils the world of honeypots in front of the reader's eyes." —Lenny Zeltser, Information Security Practice Leader at Gemini Systems "This is one of the must-read security books of the year." —Cyrus Peikari, CEO, Airscanner Mobile Security, author, security warrior "This book clearly ranks as one of the most authoritative in the field of honeypots It is comprehensive and well written The authors provide us with an insider's look at virtual honeypots and even help us in setting up and understanding an otherwise very complex technology." —Stefan Kelm, Secorvo Security Consulting "Virtual Honeypots is the best reference for honeypots today Security experts Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, from low-interaction honeypots to botnets and malware If you want to learn about the latest types of honeypots, how they work, and what they can do for you, this is the resource you need." —Lance Spitzner, Founder, Honeynet Project "Whether gathering intelligence for research and defense, quarantining malware outbreaks within the enterprise, or tending hacker ant farms at home for fun, you'll find many practical techniques in the black art of deception detailed in this book Honeypot magic revealed!" —Doug Song, Chief Security Architect, Arbor Networks "Seeking the safest paths through the unknown sunny islands called honeypots? Trying to avoid greedy pirates catching treasures deeper and deeper beyond your ports? With this book, any reader will definitely get the right map to handle current cyber-threats Designed by two famous white hats, Niels Provos and Thorsten Holz, it carefully teaches everything from the concepts to practical real-life examples with virtual honeypots The main strength of this book relies in how it covers so many uses of honeypots: improving intrusion detection systems, slowing down and following incoming attackers, catching and analyzing 0-days or malwares or botnets, and so on Sailing the high seas of our cyber-society or surfing the Net, from students to experts, it's a must-read for people really aware of computer security, who would like to fight against black-hats flags with advanced modern tools like honeypots." —Laurent Oudot, Computer Security Expert, CEA "Provos and Holz have written the book that the bad guys don't want you to read This detailed and comprehensive look at honeypots provides step-by-step instructions on tripping up attackers and learning their tricks while lulling them into a false sense of security Whether you are a practitioner, an educator, or a student, this book has a tremendous amount to offer The underlying theory of honeypots is covered, but the majority of the text is a 'how-to' guide on setting up honeypots, configuring them, and getting the most out of these traps, while keeping actual systems safe Not since the invention of the firewall has a tool as useful as this provided security specialists with an edge in the never-ending arms race to secure computer systems Virtual Honeypots is a must-read and belongs on the bookshelf of anyone who is serious about security." —Aviel D Rubin, Ph.D., Computer Science Professor and Technical Director of the Information Security Institute at Johns Hopkins University, and President and Founder, Independent Security Evaluators "An awesome coverage of modern honeypot technologies, both conceptual and practical." —Anton Chuvakin "Honeypots have grown from simple geek tools to key components in research and threat monitoring at major entreprises and security vendors Thorsten and Niels comprehensive coverage of tools and techniques takes you behind the scene with real-world examples of deployment, data acquisition, and analysis." —Nicolas Fischbach, Senior Manager, Network Engineering Security, COLT Telecom, and Founder of Sécurité.Org Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be prohibitively complex, time-consuming, and expensive Now, there's a breakthrough solution Virtual honeypots share many attributes of traditional honeypots, but you can run thousands of them on a single system-making them easier and cheaper to build, deploy, and maintain In this hands-on, highly accessible book, two leading honeypot pioneers systematically introduce virtual honeypot technology One step at a time, you'll learn exactly how to implement, configure, use, and maintain virtual honeypots in your own environment, even if you've never deployed a honeypot before You'll learn through examples, including Honeyd, the acclaimed virtual honeypot created by coauthor Niels Provos The authors also present multiple real-world applications for virtual honeypots, including network decoy, worm detection, spam prevention, and network simulation After reading this book, you will be able to Compare high-interaction honeypots that provide real systems and services and the low-interaction honeypots that emulate them Install and configure Honeyd to simulate multiple operating systems, services, and network environments Use virtual honeypots to capture worms, bots, and other malware Create high-performance "hybrid" honeypots that draw on technologies from both low- and high-interaction honeypots Implement client honeypots that actively seek out dangerous Internet locations Understand how attackers identify and circumvent honeypots Analyze the botnets your honeypot identifies, and the malware it captures Preview the future evolution of both virtual and physical honeypots Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos; Thorsten Holz Publisher: Addison Wesley Professional Pub Date: July 16, 2007 Print ISBN-10: 0-321-33632-1 Print ISBN-13: 978-0-321-33632-3 Pages: 480 Table of Contents | Index Copyright Praise for Virtual Honeypots Preface Acknowledgments About the Authors Chapter 1 Honeypot and Networking Background Section 1.1 Brief TCP/IP Introduction Section 1.2 Honeypot Background Section 1.3 Tools of the Trade Chapter 2 High-Interaction Honeypots Section 2.1 Advantages and Disadvantages Section 2.2 VMware Section 2.3 User-Mode Linux Section 2.4 Argos Section 2.5 Safeguarding Your Honeypots Section 2.6 Summary Chapter 3 Low-Interaction Honeypots Section 3.1 Advantages and Disadvantages Section 3.2 Deception Toolkit Section 3.3 LaBrea Section 3.4 Tiny Honeypot Section 3.5 GHH — Google Hack Honeypot Section 3.6 PHP.HoP — A Web-Based Deception Framework Section 3.7 Securing Your Low-Interaction Honeypots Section 3.8 Summary Chapter 4 Honeyd — The Basics Section 4.1 Overview Section 4.2 Design Overview Section 4.3 Receiving Network Data Section 4.4 Runtime Flags Section 4.5 Configuration Section 4.6 Experiments with Honeyd Section 4.7 Services Section 4.8 Logging Section 4.9 Summary Chapter 5 Honeyd — Advanced Topics Section 5.1 Advanced Configuration Section 5.2 Emulating Services Section 5.3 Subsystems Section 5.4 Internal Python Services Section 5.5 Dynamic Templates Section 5.6 Routing Topology Section 5.7 Honeydstats Section 5.8 Honeydctl Section 5.9 Honeycomb Section 5.10 Performance Section 5.11 Summary Chapter 6 Collecting Malware with Honeypots Section 6.1 A Primer on Malicious Software Section 6.2 Nepenthes — A Honeypot Solution to Collect Malware Section 6.3 Honeytrap Section 6.4 Other Honeypot Solutions for Learning About Malware Section 6.5 Summary Chapter 7 Hybrid Systems Section 7.1 Collapsar Section 7.2 Potemkin Section 7.3 RolePlayer Section 7.4 Research Summary Section 7.5 Building Your Own Hybrid Honeypot System Section 7.6 Summary Chapter 8 Client Honeypots Section 8.1 Learning More About Client-Side Threats Section 8.2 Low-Interaction Client Honeypots Section 8.3 High-Interaction Client Honeypots Section 8.4 Other Approaches Section 8.5 Summary Chapter 9 Detecting Honeypots Section 9.1 Detecting Low-Interaction Honeypots Section 9.2 Detecting High-Interaction Honeypots Section 9.3 Detecting Rootkits Section 9.4 Summary Chapter 10 Case Studies Section 10.1 Blast-o-Mat: Using Nepenthes to Detect Infected Clients Section 10.2 Search Worms Section 10.3 Red Hat 8.0 Compromise Section 10.4 Windows 2000 Compromise Section 10.5 SUSE 9.1 Compromise Section 10.6 Summary Chapter 11 Tracking Botnets Section 11.1 Bot and Botnet 101 Section 11.2 Tracking Botnets Section 11.3 Case Studies Section 11.4 Defending Against Bots Section 11.5 Summary Chapter 12 Analyzing Malware with CWSandbox Section 12.1 CWSandbox Overview Section 12.2 Behavior-Based Malware Analysis Section 12.3 CWSandbox — System Description Section 12.4 Results Section 12.5 Summary Bibliography Index Copyright Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests For more information, please contact: U.S Corporate and Government Sales (800) 382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S., please contact: International Sales international@pearsoned.com Visit us on the Web: www.awprofessional.com Library of Congress Cataloging-in-Publication Data Provos, Niels Virtual honeypots / Niels Provos and Thorsten Holz p cm Includes bibliographical references and index ISBN 978-0-321-33632-3 (papaerback : alk paper) Computer security I Holz, Thorsten II Title QA76.9.A25P785 2007 005.8—dc22 2007020022 Copyright © 2008 Pearson Education, Inc All rights reserved Printed in the United States of America This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047 ISBN 13: 978-0-321-33632-3 Text printed on recycled paper at Courier in Stoughton, Massachusetts First printing, July 2007 monitoring VMware-based honeypots overview of Security connecting virtual honeypots to Internet 2nd high-interaction honeypots honeytrap Honeywall LaBrea installation low-interaction honeypots nepenthes installation Seed, Heretrix Segments, TCP Semiglobal alignment algorithm, RolePlayer Sensors, nepenthes 2nd Sequence numbers, TCP Service Control Manager (SCM) vulnerabilities, Windows Service emulation, honeytrap Services, Honeyd configuring 2nd emulating log files runtime flag Session ID (SID), Tiny Honeypot Session logs, Tiny Honeypot set command, Honeyd droprate option ethernet option overview of uid option uptime option setSlice ( ) vulnerability, WebViewFolderIcon Active X control SGDT instructions SHA-512 hash Shadow honeypots Shell emulation, nepenthes 2nd Shell scripts, configuring Honeyd Shellcode-executer extension, Python shellcode-generic.conf, nepenthes Shellcode parsing modules defined example of overview of shutdown command, Argos SHv5 rootkit SID (session ID), Tiny Honeypot SIDT instructions Simple DirectMedia Layer (SDL) development libraries SiteAdvisor skas SLDT instructions SMTP, analyzing CWSandbox Snapshot mechanism, of QEMU Snort system HoneyC searching for malicious web servers based on monitoring VMware-based honeypots snort_inline IPS based on minimizing risk of attacks on third-party systems SOCKS proxy Software malicious [See Malware.] monitoring VMware-based honeypots virtualization SP2, Windows Spamming Spear phishing Spybot 2nd SpyBye Spyware as bots client-side attacks installing studying on Internet SquirrelMail honeypot SSDT (System Service Dispatch Table) 2nd Static analysis, malicious software Static IPs Statistics, nepenthes 2nd stdin, Honeyd stdout, Honeyd Storm Worm bot strace tool su command, Honeywall Submission modules 2nd submit-*.conf, nepenthes Subsytems, Honeyd 2nd sudo command, Honeyd SURFnet IDS SUSE 9.1 case study evaluation of attack overview of summary of attack timeline of attack tools involved in attack -sV flag, NMap svchost processes SVM (Pacifica) Switches Symantec SYN flag, TCP System call interposition System Service Dispatch Table (SSDT) 2nd System Service hooking Systrace Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] T (-dry-run), LaBrea installation -t (-throttle-size) database, LaBrea installation -T[0-5] flag, NMap tap0 virtual device tar.gz-ball Tarpits Tarpitting module, Collapsar Tcdump TCP/IP (Transmission Control Protocol/Internet Protocol) TCP SYN flooding attacks TCP SYN packets TCP (Transmission Control Protocol) detecting low-interaction honeypots Honeyd packet logs Honeytrap and LaBrea utilizing understanding tcpdump 2nd Templates, Honeyd add command advanced configuration bind command create command defined delete command dynamic set command TFTP (Trivial File Transfer Protocol), botnets using thp (Tiny Honeypot) capture logs installation netfilter logs observations overview of session logs Throttling, LaBrea Timestamps 2nd Timing-based detection detecting low-interaction honeypots detecting virtual machines through hidden page faults Tiny Honeypot [See thp (Tiny Honeypot).] Titan Rain attacks TLB (translation look-aside buffer) Tools, fingerprinting Nmap tcdump Wireshark Toxbot Tracing Thread (TT) mode, UML Tracking, botnets Traffic redirectors, Collapsar Translation look-aside buffer (TLB) Transmission Control Protocol [See TCP (Transmission Control Protocol).] Transmission Control Protocol/Internet Protocol (TCP/IP) Transport Layer Internet protocol suite TCP UDP Trivial File Transfer Protocol (TFTP), botnets using Trojan horses 2nd TT (Tracing Thread) mode, UML tty logging TUN/TAP device 2nd tunctl utility, UML Typosquatting (URL hijacking) Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] UDP (User Datagram Protocol) flooding attacks 2nd Honeyd packet logging with overview of uid option, set command UML (User-mode Linux) building virtual high-interaction honeynet connecting virtual honeypot to Internet detecting installation and setup monitoring honeypots overview of runtime flags and configuration setting up virtual honeypots 2nd uml_net utility, UML uml_switch utility, UML UNICODE, analysis of Updates bots using 2nd Windows vulnerabilities uptime option, set command UPX UrBot URG flag, TCP URLs, malicious analyzing suspicious sites analyzing with SpyBye high-interaction client honeypots finding/analyzing looking for urls.txt file UrXBot User-Agent field, HTTP header User Datagram Protocol [See UDP (User Datagram Protocol).] User-mode Linux [See UML (User-mode Linux).] Usernames botnet setup bots using weak configuring Honeywall USR1 signal -v (-verbose), LaBrea installation Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] Vanderpool (VT) Variable expansion, Honeyd Versions, VMware Virtual filesystem, nepenthes Virtual honeypots advantages and disadvantages connecting to Internet creating defined Virtual machine monitor [See VMM (virtual machine monitor).] Virtual machines [See also vmx files.] analyzing spyware on Internet with Collapsar architecture detecting Potemkin architecture virtualization vs emulation of Virtual networks setting up with Argos setting up with UML setting up with VMware Virtual PC Virtual system Virtualization software [See VMware.] Virusscan, CWSandbox Visitor, HoneyC VMM (virtual machine monitor) detecting presence of overview of Potemkin using vmnet VMTN (VMware Technology Network) VMware adding monitoring software building virtual high-interaction honeynet combining with Honeyd connecting virtual honeypot to Internet creating virtual honeypot detecting overview of preventing detection of setting up virtual high-interaction honeypot setting up virtual honeypots 2nd versions of virtual network with VMware ESX Server VMware Fusion VMware GSX Server VMware Player creating virtual honeypot for VMware overview of setting up virtual honeypot VMware Technology Network (VMTN) VMware Workstation 2nd VMwareServer creating virtual honeypot for VMware installation and setup for overview of vmx files creating virtual honeypot for VMware with QEMU preventing detection of VMware virtual machine format VPN tunnel, deploying nepenthe VT (Vanderpool) vuln-*.conf, nepenthes Vulnerabilities [See also Botnets; Client-side threats; Microsoft; Windows.] Horde Application Framework ptrace in Linux 2nd search engines for finding in XAMPP Vulnerability modules defined detecting nepenthes remotely example of implementing overview of results of Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] -w filename flag, tcpdump W32.Randex.D worm Web spidering attacks Webattacker Websites, malicious WebUtil2.7 honeypot Wever, Berend-Jan Windows API hooking how Honeyd works in NT 4 installing QEMU to use with Argos SP2 features for preventing worms VMware for 2nd vulnerabilities to botnets 2nd 3rd vulnerabilities to Haxdoor Wireshark for Windows 2000 case study evaluation of attack overview of summary of attack timeline of attack tools involved in attack Windows Explorer vulnerability 2nd Windows Meta Files (WMF) vulnerability Windump Winnie fingerprinting tool Winsock Wireshark Honeywall enabling Data Capture through monitoring UML-based honeypots overview of .WMF (Windows Meta Files) vulnerability Worms [See also Search Worms.] Blaster worm Bofra worm containing detecting with Billy Goat Storm Worm Windows SP2 features for preventing Zotob worm 2nd -x (-disable-capture), LaBrea installation -X (-exclude-resolvable-ips), LaBrea installation -X flag, tcpdump -x (-hard-capture), LaBrea installation -x xprob runtime flag, Honeyd Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] x2.conf, nepenthes XAMPP, vulnerabilities in XOR encoder 2nd Xot bot XT Bot Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] Yahoo search queuer, HoneyC Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] Zero-day (0day) attacks defined detecting with Argos [See Argos.] extending nepenthes to handle handling high-interaction honeypots detecting Internet Explorer vulnerabilities to low-interaction honeypots not for against Office applications Zombie Zotob worm 2nd ... Preview the future evolution of both virtual and physical honeypots Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos; Thorsten Holz Publisher: Addison Wesley Professional Pub Date: July 16, 2007. .. —Stefan Kelm, Secorvo Security Consulting "Virtual Honeypots is the best reference for honeypots today Security experts Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, from lowinteraction honeypots to botnets and malware... Text printed on recycled paper at Courier in Stoughton, Massachusetts First printing, July 2007 Praise for Virtual Honeypots "A power-packed resource of technical, insightful information that unveils the world of honeypots in front of