Using Honeypots to Analyze Bots and Botnets Eirik Falk Georg Bergande Jon Fjeldberg Smedsrud Master of Science in Communication Technology Submission date: June 2007 Supervisor: Svein Johan Knapskog, ITEM Co-supervisor: André Årnes, Kripos Norwegian University of Science and Technology Department of Telematics Problem Description The students will continue their honeypot-project started in the fall of 2006. The existing honeypot setup will be expanded and further enhanced for collecting and analyzing honeypot data. The experiments will be aimed towards the area of botnets, including automated and manual attacks. A combination of low and high interaction honeypots will be used as parts of an adaptable solution to obtain the best possible security relevant measurements and thereby gain increased knowledge of malicious traffic on the internet. Assignment given: 17. January 2007 Supervisor: Svein Johan Knapskog, ITEM Abstract In this Master thesis we will perform honeypot experiments where we allow malicious users access to systems and analyze their behaviour. Our focus will be on botnets, and how attackers progress to infect systems and add them to their botnet. Our experiments will include both high-interaction honeypots where we let attackers manually access our system, and low interaction-honeypots where we receive automated malware. The high-interaction honeypots are normal Linux distributions accessing the internet through a Honeywall that captures and controls the data flow, while the low-interaction honeypots are running the Nepenthes honeypot. Nepenthes acts by passively emulating known vulnerabilities and downloading the exploiting malware. The honeypots have been connected to both the ITEA and UNINETT networks at NTNU. The network traffic filtering on the IP addresses we have received, has been removed in order to capture more information. Installing the honeypots is a rather complicated matter, and has been described with regard to setup and configuration on both the high and low interaction honeypots. Data that is captures has been thoroughly analyzed with regard to both intent and origin. The results from the high-interaction honeypots focus on methods and techniques that the attackers are using. The low-interaction honeypot data comes from automated sources, and is primary used for code and execution analysis. By doing this, we will gain a higher degree of understanding of the botnet phenomenon, and why they are so popular amongst blackhats. During the experiments we have captures six attacks toward the high-interaction honeypots which have all been analyzed. The low-interaction honeypot, Nepenthes, has captured 56 unique malware samples and of those 14 have been analysed. In addition there has been a thorough analysis of the Rbot. Acknowledgements This thesis is written by Eirik Bergande and Jon Smedsrud, but it would not have been completed without contribution from several people. We would like to thank the following people for helping us: • Professor Svein Johan Knapskog for his guidance and help in shaping this Master thesis. • PhD André Årnes for valuable input, guidance during the writing and proofreading the report. • David Watson, head of the UK honeynet project, for helping us setting up the Nepenthes server. • Pål Sturla Sæther and Asbjørn Karstensen for supplying us with all the equipment we needed during our experiments. • ITEA and UNINETT for letting us use their IP-range. • Ph.D Crina Grosan for translating Romanian IRC chat logs to English. I II Content Abstract.......................................................................................................................................I Acknowledgements.....................................................................................................................I Content.....................................................................................................................................III List of Figures...........................................................................................................................V List of Tables.............................................................................................................................V Abbreviations...........................................................................................................................VI 1 Introduction........................................................................................................................1 1.1 Scope..........................................................................................................................1 1.2 Background................................................................................................................1 1.3 Description.................................................................................................................2 1.4 Structure.....................................................................................................................2 2 Honeynet and honeypots....................................................................................................5 2.1 Honeypots...................................................................................................................5 2.2 Honeynet....................................................................................................................5 2.3 The Nepenthes honeypot............................................................................................9 3 Botnet introduction...........................................................................................................11 3.1 Initial propagation....................................................................................................12 3.2 Execution – the life of the bot begins.......................................................................14 3.3 Controlling the bots..................................................................................................15 3.4 Functionality and services........................................................................................16 3.5 Motives and economics............................................................................................19 4 Botnet trends....................................................................................................................21 4.1 IRC and Domain Name Service...............................................................................21 4.2 Instant Messaging C&C channels............................................................................22 4.3 Web based C&C Servers..........................................................................................22 4.4 Drop Zones and FTP based C&C Servers................................................................23 4.5 Proprietary backdoor C&C channels........................................................................23 4.6 P2P Botnet C&C channels.......................................................................................23 5 Implementation.................................................................................................................25 5.1 Honeynet Implementation........................................................................................25 5.2 Honeypots.................................................................................................................26 5.3 Nepenthes Implementation.......................................................................................28 5.4 Sandnet Analysis Implementation............................................................................30 6 Digital Forensics and Data Analysis................................................................................39 6.1 Data Acquisition.......................................................................................................39 6.2 The Analysis.............................................................................................................41 7 Analysis of the Linux Honeypots.....................................................................................45 7.1 Method.....................................................................................................................45 7.2 Incident Response Plan............................................................................................45 7.3 2007.03.25................................................................................................................48 7.4 2007.04.12................................................................................................................51 7.5 2007.04.25................................................................................................................53 7.6 2007.04.28................................................................................................................56 7.7 2007.04.29................................................................................................................60 7.8 2007.05.04................................................................................................................62 7.9 Summary of the analysis..........................................................................................64 8 Analysis of the Windows Malware..................................................................................69 III 8.1 Sandnet analysis.......................................................................................................69 8.2 Internet analysis........................................................................................................70 8.3 Checklist...................................................................................................................72 8.4 Overview of the Downloaded Nepenthes Malware.................................................74 8.5 Analysis of 8b40c17c0fd9756bf5e9938786962acd.................................................82 8.6 Analysis of c1143d2c458c6ddcf747cf1d07939cfc..................................................85 8.7 Analysis of e9041725b72dff55ec06efd5eb689c4c..................................................89 8.8 Analysis of ed82850e0ff267b4bf662425ba1a6f1f...................................................92 8.9 Analysis of fdec684b580dbb268fa304c485756af9..................................................95 8.10 Analysis of 0ce21e7ea9743f64774df29d47c138c2.................................................99 8.11 Analysis of 5bfd3657259a3f26d00f242487037304...............................................103 8.12 Analysis of 9fea785ca9ef38f32fbdd1ad5b64eea0.................................................107 8.13 Analysis of 41a75fcf84086198bd29ee34e40fcf85.................................................110 8.14 Analysis of f5abfc06a5088f9b0752f786b484024d................................................114 8.15 Analysis of d98b3e6f3425c088934c5005cc3e823e...............................................118 8.16 Analysis of 69fe26256de0d2c718ebd4943822271c..............................................121 8.17 Analysis of b77e035efb29c37cd3bec9ee174daa9b...............................................125 8.18 Analysis of d29188b4e836e52cc45e004ef948389f...............................................131 8.19 In-depth analysis of the RBot.................................................................................133 8.20 The collected Rbot from our Nepenthes honeypot.................................................135 8.21 Summary of the analysis........................................................................................141 9 Conclusion......................................................................................................................149 10 Future Studies.............................................................................................................151 References:.............................................................................................................................153 Web references:......................................................................................................................155 Figure references:...................................................................................................................157 Appendix A: Lab equipment overview............................................................................158 Appendix B: Extracting Sebek data from the Honeywall................................................159 Appendix C: Translated IRC Log from March 25-26.....................................................160 Appendix D: Honeywall Web interface – Walleye.........................................................169 Appendix E: HONEYWALL.CONF...............................................................................172 Appendix F: Command Reference for the Rbot..............................................................179 Appendix G: The RxBot2006 C++ files..........................................................................186 Appendix H: Tenpo.bat and 1.reg – Rbot Registry Changes...........................................190 Appendix I: Nepenthes installation....................................................................................194 Appendix J: Thwarting VMware detection mechanisms....................................................195 Appendix K: Overview of the Rbot Source Files............................................................196 Appendix L: Rbot logged in to the IRC test server.........................................................197 IV List of Figures Figure 1: Honeynet Architecture [fig1]......................................................................................6 Figure 2: Bots and botnets [fig2]..............................................................................................12 Figure 3: Infection/propagation methods [fig2].......................................................................13 Figure 4: Honeynet lab.............................................................................................................27 Figure 5: The honeynet lab.......................................................................................................27 Figure 6: Sandbox picture of psax............................................................................................58 Figure 7: Sandbox picture of SSH scanner execution..............................................................58 Figure 8: Inbound connections toward 129.241.189.2, ITEA..................................................65 Figure 9: Inbound connections toward 158.38.144.2, UNINETT...........................................66 Figure 10: Inbound connections toward 129.241.189.3, ITEA................................................66 Figure 11: Inbound connections toward 158.28.144.3, UNINETT.........................................67 Figure 12: Inbound connections on all honeypots...................................................................67 Figure 13: Number of SSH scan towards the honeynet...........................................................68 Figure 14: We are logged in to one of our test bots.................................................................70 Figure 15: Infection notice for installing Adware..................................................................126 Figure 16: Registry Cleaner...................................................................................................127 Figure 17: Desktop after infection.........................................................................................130 Figure 18: Malware size.........................................................................................................144 Figure 19: DNS C&C Servers................................................................................................144 Figure 20: IP adresses C&C Servers......................................................................................145 Figure 21: Ports used by C&C Servers..................................................................................145 List of Tables Table 1: Nepenthes honeynet server modules..........................................................................10 Table 2: Filenames and hashes from the attack, 2007.03.25....................................................48 Table 3: Filenames and hashes from the attack, 2007.04.12....................................................51 Table 4: Filenames and hashes from the attack, 2007.04.25....................................................53 Table 5: Filenames and hashes from the attack, 2007.04.28....................................................56 Table 6: Filenames and hashes from the attack, 2007.04.29....................................................60 Table 7: Filenames and hashes from the attack, 2007.05.04....................................................62 Table 8: Malware samples received on both network with infection date.............................142 V Abbreviations CD Compact Disc DDoS Distributed Denial of Service DNS Domain Name Server FTP File Transfer Protocol HTTP HyperText Transfer Protocol HTTPS Hypertext Transfer Protocol Secure ICMP Internet Control Message Protocol IDS Intrusion Detection System IIS Internet Information Services IP Internet Protocol IPS Intrusion Prevention System IRC Internet Relay Chat ISP Internet Service Provider ITEA IT-seksjonen ved NTNU LAN Local Area Network LCD Liquid Crystal Display MAC Medium Access Control MD5 Message-Digest Algorithm 5 MSN Microsoft Network NetBIOS Network Basic Input/Output System NTNU Norges Teknisk-Naturvitenskapelige Universitet (Norwegian University of Science and Technology) OS Operating System P2P Point-to-point PC Personal Computer PHISHING Password Harvesting Fishing RPC Remote Procedure Call SANS SysAdmin, Audit, Network, Security Institute SCP Secure Copy SHA-1 Secure Hash Algorithm 1 SMB Server Message Block SOCKS SOCKetS SQL Structured Query Language SSH Secure Shell SSL Secure Socket Layer TCP Transmission Control Protocol TTL Time to Live UDP User Datagram Protocol URL Uniform Resource Locator VI