spacer TO LEARN THE TOOLS, TACTICS, AND MOTIVES OF THE email the Honeynet Project
Home
About the Project
Research Alliance
Challenges
Presentations
Whitepapers
Tools
Our Book
Funding/Donations
Status Reports
Mirrors

spacer
spacer  
Status Reports
spacer

This is the Honeynet Project's status report for 2007 fiscal year (July 2006 - June 2007).  This report is presented to the community on an annual basis.  It covers the activities of the overall organization and its chapters.  To learn the details of what each chapter is doing, please refer to their specific status report (all of them are listed and linked below).  Any questions or concerns about this report should be sent to [email protected].

1.0 Deployments
During this period the Honeynet Project tested its first Global Distributed Honeynet (GDH) deployment. The purpose of the GDH project was to make it as simple as possible for multiple people and organizations to rapidly deploy a standardised virtual honeynet with centralized data collection and administration.  Developed and led by David Watson of the UK Honeynet Project Chapter, a bootable DVD based approach was developed, which allowed participants to easily deploy a secured base OS (installed to a donor computer's local hard drive), a virtual honeywall, and multiple virtual honeypots (high interaction honeypots, nepenthes honeypots, client honeypots, etc) with the minimum of local configuration. Participants simply entered their networking information into a configuration web page, downloaded a preconfigured ISO image, burned that image to DVD and then booted the hands-off GDH installer. Once installation was complete, honeywall data was automatically uploaded overnight to a central repository and all distributed nodes were managed remotely, with various web based reporting interfaces being developed, along with a daily operational handlers diary and regular analysis commentary. Eleven GDH nodes on multiple continents were successfully operated over a period of six months, and an status report was released internally that summarised the observed activity. Hopefully  at least some of this data will be released to the public in the coming year, possibly as a KYE:GDH white paper.  In addition to GDH, some of the individual chapters are doing extensive deployments of their own.  Chapters include

rule 2.0 Findings
A combined analysis of all the findings from the different chapters, our GDH deployment, and other sensors is beyond the scope of this annual report.  We will release detailed findings through our Know Your Enemy whitepapers, presentations at conferences, and other media.  To see what each individual chapter is learning, reference the chapter status reports at the end of this report.

rule 3.0 Lessons Learned
We identified several trends across many of the chapters.  These trends include.

  1. GDH has demonstrated that large scale distributed data collection and analysis are complex, time consuming efforts.   Now that Phase 1 is complete we are reviewing the lessons learned and identifying the best way to move forward (such as the use of honeypot farms, a more focused effort on client and low-interaction solutions, more automated data analysis, more powerful data analysis tools, etc). 
  2. That automated collection and basic analysis of Windows malware can now routinely be performed without the need for high interaction windows honeypots (which is good news for operations/DA), but that increasingly malware authors are attempting to detect, bypass or hide from automated collection and sandbox technologies.
  3. Many chapters are collecting extensive amounts of malware with Nepenthes.  We need improved centralization and analysis of malware making it easier to leverage that information for the chapters and members.

rule 4.0 Technology
Many of the chapters are working on a variety of new technologies.  Below is a highlight of some of those.  For more information, refer to the respective chapter status reports.

  • Capture-HPC is a high-interaction client honeypot framework. Capture-HPC identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system for unauthorized state changes. Developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter. 
  • HoneyC is a low interaction client honeypot framework that allows to find malicious servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. Developed by Christian Seifert of the New Zealand Chapter.
  • Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network. It is intended to sit inline in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the German Chapter.
  • Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool. Developed by Ryan McGeehan & Brian Engert of the Chicago Chapter.
  • Honeymole: This is used for honeypot farms. You deploy multiple sensors that redirect traffic to a centralized collection of honeypots. Developed and maintained by the Portuguese Chapter.
  • Capture BAT: This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the New Zealand Chapter.
  • Honeysnap. Primary tool used for extracting and analyzing data from pcap files, including IRC communications. Developed and maintained by Arthur Clune of the UK Chapter.
  • HoneyBow. HoneyBow is a high-interaction malware collection toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture. Developed and maintained by Chinese Honeynet Project.
  • High Interaction Honeypot Analysis Toolkit (HIHAT): This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart from the possibility to create high-interaction honeypots, HIHAT furthermore comprises a graphical user interface which supports the process of monitoring the honeypot, analysing the acquired data. Last, it generates an IP-based geographical mapping of the attack sources and generates extensive statistics. HIHAT is developed and maintained by Michael Mueter of the German Chapter.

In addition, we have now opened our development efforts to the public, including pubic SVN access and public maillists.   We hope to soon have publicly accessible Wiki sites for all development efforts.

Public Maillists
Honeywall CDROM
Honeymole
Honeysnap
Capture-HPC
Capture-BAT

Public SVN access (RO)
Honeywall
CDROM
Honeysnap
Capture-HPC

rule 5.0 Papers & Presentations
All Honeynet Project Know Your Enemy (KYE) papers go through an extensive, internal review process.  All paper topics have to be first approved by the KYE committee.  Then initial drafts are reviewed by the KYE committee.  Last, at minimum all final drafts are peer reviewed by the entire membership.  Only about 50% of submissions make it through the process. In addition, we have started a new concept for papers called "KYE Lite".  These are shorter papers that are written about a specifc topic.  While not having the depth of traditional KYE papers, since these papers are more focused they can have a shorter development process and bring information to the public quicker.

KYE: Fast-Flux  Service Networks:  This whitepaper details a growing technique within the criminal community called fast-flux networks. This is an architecture that builds more robust networks for malicious activity while making them more difficult to track and shutdown. This is the first KYE paper we are releasing in both .pdf and .html format.  In addition, this research was presented at Hack-in-the-Box Malaysia.  You can find this presentation online at our Speaking Section.

KYE: Malicious WebServers:  In this paper, we take an in-depth look at malicious web servers that attack web browsers and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC.

KYE: Web Application Threats:  This paper provides behind the scenes information on various HTTP-based attacks against web applications, including remote file inclusion and exploitation of the PHPShell application. The paper is based on the research and data collected from the Chicago Honeynet Project, the New Zealand Honeynet Project and the German Honeynet Project during multiple honeypot compromises. Along with the release of this paper, comes new functionality to the Google Hack Honeypot (GHH), used extensively in the paper. GHH now includes an automated malware collection function, as well as remote XML-RPC logging for SSL support.

Virtual Honeypots:  The most current book on honeypots today, this excellent resource was published by team members Thorsten Holz and Niels Provos.

rule 6.0 Organizational
One of the key challenges our organization has faced was that in reality we have been two different organization, the core Honeynet Project and then associated members the Research Alliance. This structure has caused problems, including issues of communication, coordination and transparency.  At the beginning of the year the membership and its leaders decided we needed a major restructuring, combining both organizations into a single, legal entity.  The goal is to create an organization simpler to govern, improved communication, and more transparent operation.  As a result, the Honeynet Research Alliance has been officially merged into the Honeynet Project, as documented in our new bylaws (which will be posted online soon).

The Honeynet Project will remain a non-profit 501c3 dedicated to sharing findings with the community.  In addition, it will become a chapter based organization, with most of the the original Alliance organizations becoming the initial chapters.  This combination will create a more open, international organization that is easier to manage.  In addition, we are hoping this makes our research easier for the public to get involved, especially our development efforts.  We will be announcing more information soon on these changes.

rule 7.0 Goals
7.1 Our biggest challenge is merging the Honeynet Project and Research Alliance into a single, legal entity.  The recent restructuring will meet those goals.  We have recently approved the new bylaws.  The next step is the election of a new Board of Directors.

7.2 We want to work on better integration of all of our development efforts.  Currently, many of our development efforts are independently lead, with limited strategic interaction.  We have kicked off an internal project called the Strategic Research and Development Overview (SRDO) catalog all of our development efforts, identify and document key leaders, and bring together better integration of all of our development efforts. 

rule 8.0 MISC
None at this time.

rule 9.0 Chapter Reports
Below you will find links to the status reports from each chapter of the Honeynet Project.

New Zealand Honeynet Project
Chicago Honeynet Project
UNAM Honeynet Project
Mexican Honeynet Project
Chinese Honeynet Project
Portuguese Honeynet Project
Alaskan Honeynet Project
Pakistan Honeynet Project
UNCC Honeynet Project
Brazilian Honeynet Project
Phillipine Honeynet Project
Singapore Honeynet Project
Spanish Honeynet Project
Costa Rican Honeynet Project
Norwegian Honeynet Project
UK Honeynet Project
West Point Honeynet Project
German Honeynet Project
GA Tech Honeynet Project
Japanese Honeynet Project


Back to Top