DEPLOYMENTS
Current technologies deployed
We have a web application honeynet deployed with approximately eight nodes, running the Google Hack Honeypot. We are currently involved in the Global Distributed Honeynet with a Chicago based node.

FINDINGS
Highlight any unique findings
We are observing the use of search engines as a propagation method in worms and as a discovery tool for exploits. We have retrieved worms using multiple search engines, including Yahoo, Google, and Altavista, with the intent of expanding botnets. Typical outcomes from these compromises include defacements, spam, botnet recruitment, and phishing.

LESSONS LEARNED
What new positive things can you share with the community, so they can replicate your success?
We have released and open sourced new versions of the Google Hack Honeypot to the public, which increases the functionality in honeynetting with XML-RPC based logging, with SSL support. We also released a KYE paper titled “Web Application Threats” in February.
What new mistakes can you share with the community, so they don’t make the same mistakes?
Nothing significant enough to report. Although, we can say with total certainty that public computer labs are not a good location for a server.
Are there any research ideas you would like to see developed?
Scanning tools for web applications are still primitive or not readily available. Tools like nmap are definitive when searching for vulnerable services, but the abstraction layer provided by web servers makes it nearly impossible to simply scan for available services that operate over HTTP. Information sources for these web based services are diverse, and should be centralized and automated through a tool for penetration testing.

TECHNOLOGY
What tools or functionality are we lacking, what do we need to work on?
Data analysis against hosts using proxy services is non-existent. We are leading an effort to help solve this issue, for example: An attacker using the tor service attacks a honeypot. The logs are reviewed months or years later. When reviewing the logs, there is no record of what proxies existed during the time of the attack, therefore it isn’t reported that the attacker used an anonymizing service.
Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
Yes, we intend to investigate the usefulness of this service with tools similar to honeysnap.

PAPERS AND PRESENTATIONS
Are you working any papers to be published, such as KYE or academic papers?
We are back to research, and are collecting data for future publications. KYE light papers are being contemplated in the meantime, when time is available.
Are you looking for any data or people to help with your papers?
We will likely ask to use data from the Global Distributed Honeynet for publication or similar.
Where did you publish/present honeypot-related material?
Through the Honeynet Project, in a Know Your Enemy paper.

ORGANIZATIONAL
Changes in the structure of your organization
We have aquired interest among local information security professionals from the release of the latest KYE paper, as well as interest from students at DePaul University in search of school credit in an information security related field.
Your feedback on Alliance activities
As long as strong networking exists, the research and technology will follow. This has been the theme since we’ve joined, as long as these opportunities remain then we are content with Alliance work.
Any suggestions for improving the Alliance?
Communication between active members is strong on the mailing list, however, a social networking service may benefit networking. Past and current members affiliations, credentials, skillsets, and locations is a information to progress research, and isn’t readily available by observing email conversations over lists. A social network would make a quick “who’s who” very simple and effective for collaboration

GOALS
Which of your goals did you meet for the last six months?
We succesfully gathered data from our first honeynet.
We succesfully created a simple data analysis frontend for our data.
We deployed an updated and expanded honeynet for future research.
We wrote the first KYE paper in two years of Honeynet regarding our research.
We created a process at DePaul University to earn credit researching with us.
Which of your goals did you not meet for the last six months?
We did not win the best poster contest at the June workshop in Chicago.
Goals for the next six months
To research and develop new honeynet technology and diversify our research techniques to allow for better correlation in our data. This will specifically include the “archive” project, as well as a high interaction honeypot image for the Global Distributed Honeynet.

Abstract:

With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services such as bulletin boards, mail services such as SquirrelMail, online shops, or database administration tools like PhpMyAdmin. They significantly increase the exposed surface area by which a system can be exploited. By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. In Appendix A, we give actual examples of a bot (a variant of PERL/Shellbot), the Lupper worm and an attack against a web Content Management System (CMS) as examples that show how web application threats actually act and propagate.

On December 5th, 2006, the attacker discovered a web application honeypot using Google. The honeypot emulated a PHPShell application with a vulnerability providing the attacker with root shell access. The root shell was emulated and none of the attackers commands succeeded. The commands run were merely exploratory and not clearly malicious.

The first attack used the search query “Current working directory: Root/” to discover the honeypot. They ran a couple of ls commands, followed by a wget yahoo.com command. The attacker then left the honeypot without any further activity.

On January 23rd, 2007, the spammer then discovered another honeypot on our honeynet. This honeypot was designed using a different technique to force search engines to index it differently, but still emulating the same application. Because of the different honeypot design, the attacker discovered the honeypot through a different search engine. Yahoo.com was used to attack this application, as opposed to Google. The same query was used and unchanged for the discovery of the honeypot between the two search engines. However, more advanced features were used in the Yahoo discovery of the honeypot, such as displaying lengthier results on the Yahoo results page. Even though this functionality is available with Google, it was not used. These differences in search tactics were discovered from user agent headers sent by the attacker, specifically the referring URL.

During this second attack, a mass email application was downloaded to the honeypot before the attacker disconnected. This is a screenshot of this tool:

In the above image, the form on the left is a field for the body of the email, and the form on the right is for a list of email addresses to send to. This would have given the spammer access to send bulk email from the vulnerable server, had it been configured to. After the attacker downloaded the tool, the restricted honeypot environment prevented them from accessing their tool.

Honeynet Alliance Membership

We are now listed as a probationary organization with the Honeynet Project Research Alliance.

Honeynet Workshop

The Chicago Honeynet attended the Honeynet Workshop hosted in Chicago this month. We collaborated with The New Zealand and German Projects on our web application honeynets.

DePaul Tech Talk

Ryan McGeehan and Brian Engert presented web application honeynet material to the DePaul Linux Community on October 26th, with Mike Davis from Savid Technologies.