Period Sep 2005 to March 2006

1. DEPLOYEMENTS
2. FINDINGS
3. LESSION LEARNED
4. NEW TOOLS
5. PAPERS AND PRESENTATIONS
6. ORGANIZATIONAL
7. GOALS
8. MISC ACTIVITIES

=============================================================

1.1 Current technologies deployed.

Virtual Honeypots:

Nepenthes_pub: 1 nepenthes sensor binding one IP of China Public Internet.

Nepenthes_edu: 1 nepenthes sensor binding one class C IP range of China Education and Research Network (CERNET).

The two sensors are both submitting captured malware to the mwcollect alliance.

Physical Honeypots:

A typical Gen 3 Honeynet, comprised of:

Honeywall: based on Roo CDROM

 • 1 Red Hat Linux 9.0 honeypot
 • 1 Win2K honeypot
 • 1 WinXP honeypot
 • VMPot_2K: 1 VMware Win2K honeypot
 • VMPot_XP: 1 VMware WinXP honeypot

A virtual honeynet host in a single computer (called as a HoneyBox), for training and malware analysis.

1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected.

 • Dasher.B incident

Dec 15-18, 2005, Dasher.B worm broken out, Chinese Honeynet Project captured (using georg's script and our physical honeypots) and analyzed the sample ( see our analysis report ), and retained the worm together with CNCERT/CC ( see the timeline of Dasher.B worm ), the coder was also identified.

Malware Captured timeline:

Malware Sample Capture Count Trend (all honeypots)

New Malware Sample Capture Count Trend (all honeypots)

Malware Sample Capture Statistics by Location

Malware Sample Capture Count Trend (Nepenthes_pub)

Malware Sample Capture Count Trend (Nepenthes_edu)

The traffic outbound to other country is accounted in CERTNET L !, we restrict the outbound traffic to save our money, recently we bind another China Public Internet IP to this sensor, and using this interface for downloading the malware J , which cost 0$

Malware Sample Capture Count Trend (VMPot_2K)

Malware Sample Capture Count Trend (VMPot_XP)

Go To Top   

2. FINDINGS

=============================================================

2.1 Highlight any unique findings, attacks, tools, or methods.

 • Malware Capture

Captured Malware Sample Distribution by Family

Top 5 Captured Malware Sample This Month

 • BotNet Tracking

BotNet Discovered Trends (some are extracted from Norman Sandbox Reports)

BotNet C&C Server Distribution by Country

BotNet C&C Server Google Maps

BotNet Size Distribution

BotNet C&C Port Distribution

One Typical BotNet Distribution (The Flag denoted as C&C Server, balloon denoted as BotNet Controlled Zombies)

2.2 Data analysis tools and methods being used.

For honeynet data analysis, we use standard analysis tools include tcpdump, ethereal, and Gen 3 Walleye. We also developed some analysis tools to aid our honeynet data analysis process, includes N-Eye (Network Environment Apperceive Tool), WAVIP (Walleye Attack and Vulnerability Information Patch), and Athena (Honeynet Data Correlation Analysis System). See New Tools Section for details.

For malware analysis, we use KAV/ClamAV to identify the known malware, and our own developed MwDissector for malware automatic static analysis, and our own developed MwSniffer for malware automatic dynamic analysis. See New Tools Section for details.

For BotNet tracking, we use our own developed HoneyBot^TM , See New Tools Section for details.

2.3 For data analysis what tools work well, and what still needs to be developed.

The standard data analysis tools are great, but need too much manual work. Walleye acts as a data fusion tool and provides very good data views for the analyzer. We have suggested focus analysis, statistical analysis and correlation analysis functions should be contained in the next generation honeynet technology.

Go To Top   

3. LESSION LEARNED

=============================================================

3.1 Positive things share with the community.

 • Keep good relations with CERT organizations and ISPs, help them to defend the security of the Internet, they will be your sponsors and customers, and provide you the necessary test-bed and valuable data for new technology development and experiment.

 • Don't go to sleep when emergent incidents break out such as Dasher.B worm, try your best to analyze it (you must be careful with every released result, the kid will sneer at every mistake you ever made), response to it with the CERT/ISP guys, there is a great chance for you to get the valuable data, improve your incident response and investigate capability, and save the innocent Internet users.

 • Keep up with the open source community, search for related existing tools and projects before you decide to develop it yourself. Switch to the matured and widely accepted tools and projects if you find it is better than yours, and try to contribute to the open source tools and projects.

3.2 Mistakes share with the community.

 • Keep yourself clam even if there are emergent incidents, we lost the great chance to get the valuable practical Dasher.B worm infection curve data, Dasher.B is the first worm using central FTP server for spreading I have seen, the download times given by central FTP server implied Dasher.B worm infection count. But when we were aware of it and implemented a script to get the data, the FTP server was brought down by CNCERT/CC after we reported the incident to them.

3.3 Research ideas.

 • Integration of virtual honeypots (like honeyd and nepenthes) and physical honeypots to get a scalable, lower cost/threats/labor solution, but still provide high interaction level to the novel attacks/malware.

 • Virtual honeypots technology based on OS and Network simulation (like Norman sandbox technology) and it s applications.

 • Measurement security threats of Internet killer applications: WWW, Email, P2P, IM, etc. based on the client-side honeypot technology.

Go To Top   

4. NEW TOOLS

=============================================================

4.1 New tools or technology we are working on.

 • 4.1.1 Hades Project (BotNet discovery and tracking project): PI - Xinhui Han

HoneyBow Malware Capture Solution

1. Malware Capture Tools based on the Vmware/Physical Honeypots - MwWatcher and MwFetcher by Chengyu Song

MwWatcher is a tool which monitors the given directories with given patterns and automatically uploads any susceptible files using ftp batch file. It does not use the usual hooking means but communicates with the kernel through an asynchronous API. The stability and efficiency of this tool have been substantiated during the last four months' testing in wild. Moreover, both its installation and configuration are easy and convenient.

MwFetcher is a newly developed tool which scans a virtual disk of VMware machine to find out possible malware exit in the file-system by comparing current file list with the healthy file list. Since it runs outside a box, it gains great advantage in detecting self-hiding malware such as rootkits. The whole process is automated hence can be used as part of the maintenance of a VMware honeypot.

MwWatcher and MwFetcher will be open sourced, and the integration with mwcollect GOTEK architecture is also under development.

2. Physical Honeypots Monitor and Management Tool – PotManager by Qiushi Wang

Under development. The configuration, monit or and management mechanisms of honeypots have not been considered in current Gen 3 honeynet solution, we have suggested that the honeypot configuration management requirement should be implemented in the further honeynet solution. The design objective of PotManager includes: collect the system states (CPU, Mem, Disk, Network, Process, etc.) of honeypots(we are using snmpd now); support the remotely configuration and management of honeypots (processes restart, reboot, and restore); integrate with HoneyWall CDROM.

PotManager will be open sourced when the work is well done.

HoneyBox Malware Analysis Solution

3. Malware Static Analysis Tool – MwDissector by Jinpeng Guo

Under development. Includes AV product scan (ClamAV, KAV, VirusTotal, Norman Sandbox), and some malware static analysis functions, such as “file”, “hexdump”, “strings”, “objdump”. The automatically identification and unpack of the malware packs before the static analysis are also considered, and the research on more complicated decompile and static analysis of identifiable APIs are already scheduled.

MwDissector will be used to construct our own malware analysis platform.

4. Malware Dynamic Analysis Tool based on API Hooking – MwSniffer by Xinhui Han

Based on the API Hooking technology, MwSniffer monitor the API callings of analyzed malware, to give out a report on malware behaviors, including processes, file add/delete, registration, network, etc. MwSniffer also blocks the outbound scanning and spreading of the malware using connection limiting mechanism. Han has finished the implementation of MwSniffer, after a careful testing, MwSniffer will be released as a freeware in the near future, and will be used to construct our own malware analysis platform.

HoneyBot^TM BotNet Tracking Solution

5. BotNet Tracking Tool – HoneyBot^TM by Dongzhi Cao

HoneyBot^TM has been developed and used for practical tracking of up to thousands of BotNets, and the figures shown in Section 2 are all based on the real-time data provided by HoneyBot^TM .

6. Hades Project Data Presenting Web Site by Jinpeng Guo, Fangfang Zhang and Yaxin Liu

The figures presented in Section 1 and Section 2 are all real-time generated figures by our Python scripts, BotNet C&C Geo-Distribution figures and BotNet Geo-Distribution figures are generated using Google Maps API and AJAX technology. The Hades project presenting results will be published in our website soon.

 • 4.1.2 Honeynet Data Analysis Tools: PI – Jianwei Zhuge

1. N-Eye – Network Environment Information Apperceive Tool by Jianwei Zhuge and Cheng Li

N-Eye takes advantages of passive fingerprinting (p 0f , pads) and active scanning (nmap, nessus), to provide a useful network environment apperceive tool for security administrators, honeynet data analysis, and NIDS alert validating, etc.

N-Eye has been open sourced under GPL license ( http://sourceforge.net/projects/n-eye ).

Cheng Li is developing a honeynet data focus analysis script which takes accounts of N-Eye and other information to evaluate the severity of the honeynet captured data.

2. WAVIP – Walleye Attack and Vulnerability Information Patch by Jianwei Zhuge, Yan Li and Cheng Li

The purpose of WAVIP patch is to make more information about the attacks and the vulnerabilities available and visible in walleye. And make the detailed information linked to the flows. The database we add in is base on a knowledge base project called Poseidon that syndicate all important security information on the internet such as snort rules, nessus plugins, etc. WAVIP has been released as a patch of Roo CDROM ( Walleye Attack and Vulnerability Information Patch ).

3. Athena – Honeynet Data Correlation Analysis System by Jianwei Zhuge

The Athena system is a part of work for Jianwei Zhuge's Ph.D. thesis, firstly, we propose a network attack and vulnerability knowledge model based on OO concept and STRIPS model, describe the attack behaviors using the hierarchy composed of abstract attack concepts and detail attack actions; secondly, we use N-Eye for automatically apperceive of network environment information, which provide the context for correlation analysis; lastly, we propose an attack plan recognition algorithm based on the Extended Goal Graph by extending the classical plan recognition methods in the AI domain, which can recognize the attacker's plan from the mass honeynet captured data, and reconstruct the attack scenario graph. The Athena system has been implemented as a proof-of-concept tool run at the Honeywall, and has been tested using Scan of the Month 27 BotNet data, and lots of in-the-wild BotNet scenarios, the following figure shows a typical BotNet attack scenario graph generated by the Athena system. The Athena system will be further developed in order to release a practical version.

4.2 Integrate with any other tools and Collaboration.

 • 4.2.1 Integrate with the mwcollect alliance on malware capture and analysis

We hope to integrate with the mwcollect alliance on malware capture and analysis, by contribute our developed tools (MwWatcher/MwFetcher on malware capture, MwDissector/MwSniffer on malware analysis) and our further research like on integration of virtual honeypots and physical honeypots to achieve a best malware capture solution, further decompile and static program analysis of malware, etc.

 • 4.2.2 Integrate with the honeynet project on honeypot configuration and management

When we finish and release the PotManager, we hope the tool or some ideas on honeypot configuration and management can be integrated into Honeywall CDROM maintained by the honeynet project.

 • 4.2.3 Integrate with the honeynet project on honeynet data analysis

We hope the research and development work on honeynet data analysis (N-Eye, WAVIP, and Athena) can help the honeynet project to improve the data analysis capability of future version honeynet technology.

Go To Top   

5. PAPERS AND PRESENTATIONS

=============================================================

5.1 Presentations

 • J. Zhuge, Introduction to Honeypot/Honeynet and their applications, invited technical trainings at CNCERT/CC, Oct. 2005 and Chinese Mobile Communications Corp., Nov. 2005/March 2006.

5.2 Publication of papers

 • J. Zhuge, X. Han, Z. Ye, W. Zou, Towards High Level Attack Scenario Graph through Honeynet Data Correlation Analysis,7 th IEEE IAW Workshop, in submission.

 • X. Han, J. Zhuge, F. Zhang, Z. Ye, W. Zou, Honeynet: Current and the Future, Computer Engineering, in submission. (in Chinese)

 • J. Zhuge, X. Han, Z. Ye, W. Zou, A Network Attack Plan Recognition Algorithm based on the Extended Goal Graph, Journal of Computer, in submission. (in Chinese)

5.3 Are you looking for any data or people to help with your papers

 •We hope to integrate with German Honeynet Project and mwcollect alliance on the “KYE: malware” (we think the title “KYE: malware collection” will be better) whitepaper, contributing our malware collection tools based on vmware/physical honeypots (i.e. MwWatcher/MwFetcher) and honeypot management tool (i.e. PotManager).

 •We hope to integrate with the honeynet research community on “KYE: malware analysis” after we finish some development work on malware automatic analysis tools, and have enough analysis data and experience.

 •We also hope to integrate with the honeynet research community on another “KYE: BotNet Trends” that give out a big picture about the current BotNet situation and trend, enough data is required for such a KYE paper.

Go To Top   

6. ORGANIZATIONAL

=============================================================

6.1 Changes in the structure of your organization.

The structure of Chinese Honeynet Project has not changed during the last period. But two graduate students (Jianwei Zhuge, Jinpeng Guo) will stay with Chinese Honeynet Project, and Zhiyin Liang has come back, so we will have 5 staffs after June. The team will be enlarged to about 15 members the next bi-annual.

6.2 Your feedback on Alliance activities.

 •Jianwei Zhuge has provided actively feedback on the discussion in the Alliance mailing list, including proposing “Some Ideas and Suggestions on another Two Honeynet Core Requirements – Honeynet Data Analysis and Honeynet Management”.

 •Chinese Honeynet Project has been invited to attend the Annual Get Together, Jianwei Zhuge and Xinhui Han has requested to attend.

6.3 Any suggestions for improving the Alliance ?

None currently.

Go To Top   

7. GOALS

=============================================================

7.1 Which of your goals did you meet for the last six months

 •We have achieved the goal of malware automatically collecting and analyzing although there are some further work on this area, and successfully got a fund on the BotNet discovery and tracking.

 •We have finished the development of HoneyBot^TM and used it for practical BotNet tracking.

 •The research on honeynet data analysis was also fruitful, but it still needs hard work to make it applicable.

7.2 Which of your goals did you not meet for the last six months?

 •  Environment information gathering and presenting tools development: we evolved the H-Eye idea into MwWatcher/MwFetcher/PotManager, but we have not finished the development of PotManager. The further development of N-Eye and the integration of N-Eye/PotManager with Gen 3 Honeynet technology has not been achieved.

 •  Data statistical analysis tool development: although we have implemented some statistical analysis web interface for malware collection and BotNet tracking, but we have not achieved the goal of honeynet data statistical analysis tool development.

7.3 Goals for the next six months

 •1. Finish the Hades project successfully, release a BotNet situation report, try our best to write a KYE paper on the BotNet situation, help CNCERT/CC to deploy the distribute honeypots and maintain the BotNet discovery and tracking system in Chinese public Internet if possible.

 •2. Further research and development on malware capture and analysis technologies construct our own malware analysis platform and provide the malware analysis service, integrate with mwcollect alliance to raise the malware collection and analysis capability of the open source community.

 •3. Further research and development on honeynet data analysis technology, integrate with the honeynet project in order by improve the data analysis capability of the future honeynet technology.

 •4. Find and research on some new topics on measurement of security threats against Internet killer applications (WWW, Email, etc.) or others.

 •5. Enlarge the Chinese Honeynet Project by retaining more high-level guys with abundant experience in network security and software engineering (After June, we will have 5 staffs!), attracting more PKU students and visiting students from other universities.

 •6. Find more funds and donations for purchasing devices, software; and covering the quickly increasing payout of our team.

 •7. Write 2-3 academic papers and get 1-2 accepted, write and submit 2 patent proposals, write 1-2 KYE white papers, and deliver some presentations.

 •8. Reconstruct our website to include blog, web bbs, put more resource in introducing the newest honeypot/honeynet technologies and their applications into China , and intercommunication and cooperating with the CERTs, ISPs, and research teams or individuals in China .

Go To Top   

8. MISC ACTIVITIES

=============================================================

 •Get Chinese National Information Security Plan Fund on BotNet discovery and tracking project (Hades Project), Nov 2005 – Nov 2006.

 •China National Security Emergency Response Exercitation, with CNCERT/CC and Chinese Mobile Communications Corp., Dec 2005.

 •Analysis, restrain and investigate of the Dasher.B worm incident, with CNCERT/CC, Dec 2005.

 •Translated the drafted “Know Your Enemy: Malware” into Chinese.