LaBrea p. 74 Installation and Setup p. 75 Observations p. 81 Tiny Honeypot p. 81 Installation p. 82 Capture Logs p. 83 Session Logs p.

Transcription

1 Preface p. xiii Acknowledgments p. xxi About the Authors p. xxiii Honeypot and Networking Background p. 1 Brief TCP/IP Introduction p. 1 Honeypot Background p. 7 High-Interaction Honeypots p. 9 Low-Interaction Ploneypots p. 10 Physical Honeypots p. 11 Virtual Honeypots p. 11 Legal Aspects p. 12 Tools of the Trade p. 13 Tcpdump p. 13 Wireshark p. 15 Nmap p. 16 High-Interaction Honeypots p. 19 Advantages and Disadvantages p. 20 VMware p. 22 Different VMware Versions p. 25 Virtual Network with VMware p. 26 Setting Up a Virtual High-Interaction Honeypot p. 29 Creating a Virtual Honeypot p. 33 Adding Additional Monitoring Software p. 37 Connecting the Virtual Honeypot to the Internet p. 39 Building a Virtual High-Interaction Honeynet p. 40 User-Mode Linux p. 41 Overview p. 41 Installation and Setup p. 42 Runtime Flags and Configuration p. 46 Monitoring UML-Based Honeypots p. 50 Connecting the Virtual Honeypot to the Internet p. 51 Building a Virtual High-Interaction Honeynet p. 52 Argos p. 52 Overview p. 53 Installation and Setup for Argos Honeypots p. 54 Safeguarding Your Honeypots p. 62 Honeywall p. 63 Summary p. 69 Low-Interaction Honeypots p. 71 Advantages and Disadvantages p. 72 Deception Toolkit p. 73

2 LaBrea p. 74 Installation and Setup p. 75 Observations p. 81 Tiny Honeypot p. 81 Installation p. 82 Capture Logs p. 83 Session Logs p. 85 NetfilterLogs p. 85 Observations p. 86 GHH - Google Hack Honeypot p. 87 General Installation p. 87 Installing the Transparent Link p. 91 Access Logging p. 92 PHP-HoP - A Web-Based Deception Framework p. 94 Installation p. 95 HipHop p. 96 PhpMyAdmin p. 97 Securing Your Low-Interaction Honeypots p. 98 Chroot Jail p. 98 Systrace p. 101 Summary p. 103 Honeyd - The Basics p. 105 Overview p. 106 Features p. 107 Installation and Setup p. 108 Design Overview p. 109 Interaction Only via the Network p. 111 Multiple IP Addresses p. 111 Deceiving Fingerprinting Tools p. 111 Receiving Network Data p. 112 Runtime Flags p. 114 Configuration p. 115 Create p. 117 Set p. 117 Add p. 121 Bind p. 123 Delete p. 124 Include p. 125 Experiments with Honeyd p. 125 Experimenting with Honeyd Locally p. 125 Integrating Virtual Honeypots into Production Networks p. 128

3 Services p. 129 Logging p. 131 Packet-Level Logging p. 131 Service-Level Logging p. 133 Summary p. 134 Honeyd - Advanced Topics p. 135 Advanced Configuration p. 136 Set p. 136 Tarpit p. 137 Annotate p. 138 Emulating Services p. 139 Scripting Languages p. 139 SMTP p. 139 Subsystems p. 142 Optimizing Subsystems p. 145 Internal Python Services p. 146 Dynamic Templates p. 148 Routing Topology p. 150 Honeydstats p. 154 Honeydctl p. 156 Honeycomb p. 158 Performance p. 160 Summary p. 161 Collecting Malware with Honeypots p. 163 A Primer on Malicious Software p. 164 Nepenthes - A Honeypot Solution to Collect Malware p. 165 Architecture of Nepenthes p. 167 Limitations p. 176 Installation and Setup p. 177 Configuration p. 179 Command Line Flags p. 181 Assigning Multiple IP Addresses p. 183 Flexible Deployment p. 185 Capturing New Exploits p. 186 Implementing Vulnerability Modules p. 187 Results p. 188 Lessons Learned p. 196 Honeytrap p. 197 Overview p. 197 Installation and Configuration p. 200 Running Honeytrap p. 203

4 Other Honeypot Solutions for Learning About Malware p. 204 Muliipot p. 204 HoneyBOT p. 205 Billy Goat p. 205 Learning About Malicious Network Traffic p. 206 Summary p. 207 Hybrid Systems p. 209 Collapsar p. 211 Potemkin p. 214 RoiePlayer p. 220 Research Summary p. 224 Building Your Own Hybrid Honeypot System p. 224 NAT and High-Interaction Honeypots p. 224 Honeyd and High-Interaction Honeypot p. 228 Summary p. 230 Client Honeypots p. 231 Learning More About CHent-Side Threats p. 232 A Closer Look at MS p. 233 Other Types of Client-Side Attacks p. 236 Toward Client Honeypots p. 238 Low-Interaction Client Honeypots p. 241 Learning About Malicious Websites p. 241 HoneyC p. 246 High-Interaction Client Honeypots p. 253 Design of High-Interacrion Client Honeypots p. 254 HoneyClient p. 258 Capture-HPC p. 260 HoneyMonkey p. 262 Other Approaches p. 263 Studying Spyware on the Internet p. 264 SpyBye p. 267 SiteAdvisor p. 270 Further Research p. 271 Summary p. 272 Detecting Honeypots p. 273 Detecting Low-Interaction Honeypots p. 274 Detecting High-Interaction Honeypots p. 280 Detecting and Disabling Sebek p. 281 Detecting the Honeywall p. 285 Circumventing Honeynet Logging p. 286 VMware and Other Virtual Machines p. 289

5 QEMU p. 297 User-Mode Linux p. 298 Detecting Rootkits p. 302 Summary p. 305 Case Studies p. 307 Blast-o-Mat: Using Nepenthes to Detect Infected Clients p. 308 Motivation p. 309 Nepenthes as Part of an Intrusion Detection System p. 311 Mitigation of Infected Systems p. 312 A Modern Trojan: Haxdoor p. 316 Lessons Learned with Blast-o-Mat p. 320 Lightweight IDS Based on Nepenthes p. 321 SURFnetIDS p. 325 Search Worms p. 327 Red Hat S.O Compromise p. 332 Attack Summary p. 334 Attack Timeline p. 335 Tools Involved p. 338 Attack Evaluation p. 343 Windows 2000 Compromise p. 343 Attack Summary p. 344 Attack Timeline p. 345 Tools Involved p. 347 Attack Evaluation p. 350 SUSE 9.1 Compromise p. 351 Attack Summary p. 351 Attack Timeline p. 352 Tools Involved p. 354 Attack Evaluation p. 356 Summary p. 357 Tracking Botnet p. 359 Bot and Botnet 1O1 p. 360 Examples of Bots p. 362 Spywarein the Form of Bots p. 366 Botnet Control Structure p. 369 DDoS Attacks Caused by Botnets p. 372 Tracking Botnets p. 373 Observing Botnets p. 375 Case Studies p. 376 Mocbot and MS p. 381 Other Observations p. 384

6 Defending Against Bots p. 387 Summary p. 390 Analyzing Malware with CWSandbox p. 391 CWSandbox Overview p. 392 Behavior-Based Malware Analysis p. 394 Code Analysis p. 394 Behavior Analysis p. 395 API Hooking p. 396 Code Injection p. 400 CWSandbox - System Description p. 401 Architecture p. 402 Results p. 405 Example Analysis Report p. 406 Large-Scale Analysis p. 411 Summary p. 413 Bibliography p. 415 Index p. 423 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.