South Africa Chapter Status Report for 2011

ORGANIZATION

As we are a new chapter in the HoneyNet Project, there have been no changes to the organizational structure. Barry and I are working on expanding the network within South Africa in an attempt to gain more sensor nodes and hopefully track attacks over a larger area within the country.

Chapter Members:

Matt Erasmus
Matt Erasmus is in charge of the South African chapter pages on both http://honeynet.org and http://honeynet.org.za

Barry Irwin
Barry Irwin provides hosting, advice and a lot of IP space within South Africa.

DEPLOYMENTS

The following have been deployed within South African IP space

  • Dionaea malware honeypot running on Ubuntu Server
  • Kippo SSH honeypot running on Ubuntu Server
  • While not strictly honeypots, there are also 6 /24 net blocks acting as telescopes, some of which will be converted to honeypot space in the next few months.
  • The primary kippo honeypot has seen a little interest from over seas attackers although very little attacks seem to be originating from within South Africa. This could be due to the IP space the honey pot is sitting in, although this is mostly speculation. The honeypot has had the following pieces of malware dropped and used:

  • rkg_jpg / 63f3291c905146d564d1e462f2d1f0ab
  • ICE_UNIX_tgz / 8446f7b84f4cd457edfe7a57a031f527
  • bfkhk_do_am_bot_tgz / c2410de1f38629339084b4082d247477
  • Matt plans on writing a detailed report on each as soon as time permits.
    On the Dionaea honeypot there has been little change in attacks. Conficker attacks (ms08-067) still feature very highly. However on the 14th of April there was a rather large attack against MSSQL from 75.146.27.177. I have yet to decyper the content and context of the attack but there were 7868 different attacks against the MSSQL service.

    RESEARCH AND DEVELOPMENT

    Matt is hoping to write some code to parse Kippo log files. The premise behind the tool will be parse the log files for attacking IP addresses, successful and failed logins and any malware that may have been dropped.
    Matt also wrote a very simple python script to parse GlastopfNG logs from sqlite databases. The script allows for searching of URLs and IP addresses within the database.

    FINDINGS

    There seems to be very little SSH activity coming to the honeypots within South Africa. While there are many brute force attempts that prove successful, there are very few “returns” or actual login activity. At most the attackers will login, run “w” or “uptime” and then log off. I’d like to experiment a little more with Kippo and see if there is something that could be tipping off attackers to the presence of a honeypot.

    The Dionaea pot has seen a few attacks other than the usual MSSQL/SMB/08-067 attacks. Of the 125 submissions, there have been 24 unique samples from 46 unique source IP addresses.
    The main featuring malware seems to be “bb6.jpg” (ebbfa21230fdda9eccf16ae4295534d3) which originates from 60.10.179.100.

    Information gathering on attacker IP addresses etc. is done using Maltego CE. We are currently working on getting a licensed copy of Maltego from Paterva who have graciously offered to assist us. Until such time as we have a licensed copy, we will be unable to publish any of this information as the CE edition doesn’t allow for exporting of graphs.

    Malware analysis done by Matt Erasmus is a combination of static and dynamic analysis. This is done using various tools and processes on a Windows XP virtual machine running in Vmware Fusion.

    Some of the tools used during static analysis include:

  • Malzilla
  • Yara
  • pescanner.py (from the Malware Analysts Cookbook)
  • El Jefe has been reviewed but didn’t produce output that was useful for reporting purposes.
    Most analysis and tracking is working well. Time is the biggest issue that hampers research and investigation. The areas where improvement is needed is probably around attack tracking and correlation.

    PAPERS AND PRESENTATIONS

    Matt is working on a presentation for ZaCon http://zacon.org.za, which will happen in October. There will also be presentations made at ISSA and BSidesCapeTown when the conferences happen. More information on these presentations will be announced as and when they are ready for public consumption.

    GOALS
    The main area of improvement would be to widen the area of tracking within South Africa. We have spoken to interested parties and will continue to attempt to grow the network and awareness of the HoneyNet Project within South Africa.
    While we are a new chapter, there is a lot to do and a lot of support to build. It’s going to be a very good year for the South African Chapter.