Trends in Evasion and Anonymity

Various techniques were used against the honeynet to frustrate our ability to directly identify attackers. These tactics were only found occasionally in honeynet logs. Regardless of these techniques, the attackers actions were still fully monitored even if the source of the attacks was obscured.

Proxy Servers

About 6% of attacks were detected as using a proxy server. Proxy servers act as an intermediary between a web browser and a web server. Some organisations such as universities may require their users to make use of a proxy server to monitor and audit web traffic or to cache commonly fetched documents. Other proxy servers, termed 'open proxies' allow anyone to connect to them. This allows attackers to obfuscate their source address by having another server make the HTTP requests on their behalf. While this approach can successfully cover an attackers identity, it does not increase the stealthiness of their attack. Some proxy servers are designed to relay the clients address along with the HTTP request, while some 'anonymous' proxy servers do not. The honeynet saw attacks from both types of proxies.

Google Translate

Similar to the proxy server, the Google Translate service can act as a proxy as it translates websites for its users. The Google Translate service will make HTTP connections to websites and relay them to the users of Google Translate. This is an older technique to obfuscate IP addresses similar to an anonymous proxy, but the behavior of the service has since changed. The Google Translate service now forwards the IP address of its users. Attackers still using the Google Translate service against the honeynet are exposing their source IP address. For example, to translate the Honeynet webpage into French, you could use the following URL: http://www.google.com/translate?u=http%3A%2F%2Fwww.honeynet.org&langpair=en%7Cfr&hl=en&ie=UTF8. Google would then fetch the web page on behalf of the attacker, however this technique doesn't anonymise the attacker any more.

Onion Routing

Onion routing is a routing technology used to ensure the privacy of its users, where each node only has partial information about the route of the packets. A service sponsored by the Electronic Frontier Foundation called Tor is an implementation of this concept. Tor is a design of randomly selected, encrypted tunnels that acts as a proxy for client applications, such as web browsers. The honeynet was able to identify only 40 (.01%) attacks making use of the Tor service.

Of the seven unique attacks using Tor, there were only two worth noting. The others simply reached the honeypot and took no further action. The first attack traversed four honeypots, and attempted nothing more malicious than exploring the filesystems and attempting to create a hidden directory. The attacker discovered the honeypots using Google, using the query "inurl:phpshell.php filetype:php". The second attack only touched one honeypot on the honeynet, and attempted to retrieve a 'config.php' file. Applications written in PHP commonly include a 'config.php' file, which usually contains passwords or sensitive information regarding the application. In the case of PHPShell, the config.php file includes usernames and passwords as well
as some other configuration information.

2006-11-17 06:29:49 Signatures: Known Search Engine: google.com;
Referrer: http://www.google.com/search?q=inurl:phpshell.php;filetype:php
2006-11-17 06:29:58 ps ax;
2006-11-17 06:30:07 uname -a;
2006-11-17 06:30:24 cd /tmp;
2006-11-17 06:30:43 cd /tmp;
2006-11-17 06:30:47 ;
2006-11-17 06:30:55 ls;
2006-11-17 06:31:04 mkdir .sec;
2006-11-17 06:31:07 ls;
2006-11-17 06:31:17 cd .sec;
2006-11-17 06:31:28 cd /var/tmp;

Figure 4. Example session from an attacker using Tor

Script Encoding

The downside for attackers using a scripting language for a web-based backdoor is that the source code is inherently public. A specific backdoor found by the honeynet called 'r57 shell' employed multiple PHP functions to decode itself before running.
eval(gzinflate(pack("H*",'dd3cdb56e3ca72cf9bb5ce[...]cd95ff04')));
The PHP functions pack(), and gzinflate() decode the PHP code that needs to run, which is then sent into the eval() function. This is a very trivial way of obscuring source code, but it is all one can ask for when using an interpreted language like PHP.