Period Apr 2006 to March 2007

1. DEPLOYEMENTS

=============================================================

1.1 Current technologies deployed.

Low-Interaction Honeypots:

Nepenthes_pub: 1 nepenthes sensor binding one IP of China Public Internet.

Nepenthes_edu: 1 nepenthes sensor binding one class C IP range of China Education and Research Network (CERNET).

High-Interaction Honeypots:

A typical Gen 3 Honeynet, comprised of:

Honeywall: based on Roo CDROM

 • 1 Red Hat Linux 9.0 honeypot
 • 1 Win2K honeypot
 • 1 WinXP honeypot
 • VMPot_2K: 1 VMware Win2K honeypot
 • VMPot_XP: 1 VMware WinXP honeypot

A virtual honeynet host in a single computer, for training and malware analysis.

Distributed Honeypots/Honeynets:

The only GDH node in China .

Leurrecom.org Beijing node.

Deploying and maintaining Matrix Chinese Distributed Honeynet for CNCERT/CC (40+ honeypots, 17 nodes distributed at 16 provinces).

1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected.

 • Mocbot BotNet incident:

August 13, 2006 (Beijing Time), Mocbot which exploits MS06-040 vulnerability was broken out; Chinese Honeynet Project captured the sample using our HoneyBow sensors deployed in the Matrix Distributed Honeynet in the very first time, analyzed the sample using our MwSniffer tool, and provided the results to CNCERT/CC. After CNCERT/CC brought down the C&C server and released a security alert bulletin in August 17, the Mocobt was restrained effectively.

The First Captures of the Mocbot

Mocbot Capture Trends (sorry for the Chinese characters)

 • Matrix Chinese Distributed Honeynet has been practical used by CNCERT/CC for the daily Internet security measurement and incident handling; there are some screenshots of the UI interface of our Matrix! (Sorry again for the Chinese characters)

Geo-distribution of our Matrix nodes (17 now, waiting for more)

We have average 3,752 malware captures every day

Among them, we have about 228 new binaries (based on md5) every day

We also records every inbound/outbound flows to/from the honeynets

2. FINDINGS

=============================================================

2.1 Highlight any unique findings, attacks, tools, or methods.

All of the following findings are based on our Matrix system from China perspective.

 • Attack Source

National/Regional distribution of attack source IP addresses (queried by GeoIP)

We can see clear and different pulses (due to time zone difference) of every attack source countries/regions

Spot yesterday (Apr 10, 2007)'s attack IP addresses on GoogleMap, even crowd than TianAnMen Square at Chinese National Day. The major “attackers” (actually controlled zombies) are from US, EU, and East Aisa .

 • Attack Traffic Classification

Top Destination Ports of Yesterday (Apr 10, 2007)

 • Malware

Top malware sample families order by captured instances (based on KAV identification), Five bots and two polymorphic virus (Virut, Allaple) having bot function, the Internet belongs to botnet except the period of worm burst-out

 • BotNet Tracking

We tracked average 59 botnet command and control channels every day, and among them average 11 are firstly found.

Only small part of IRC botnets are still using standard 6667 port for the C&C channels

US still hosts the biggest part of our tracked botnets

The controlled hosts we tracked are mainly located in some developing countries such as Brazil , China , and other Asian countries and regions.

Evolution of size for one typical wild botnet

Graphical location of the controlled hosts for one of the tracked botnet, Again the major victims are located at US, EU and East Asia

2.2 Data analysis tools and methods being used.

For honeynet data analysis, we use standard analysis tools include tcpdump, ethereal, and Gen 3 Walleye. We also developed some analysis tools to aid our honeynet data analysis process, includes N-Eye (Network Environment Apperceive Tool), WAVIP (Walleye Attack and Vulnerability Information Patch), and Athena (Honeynet Data Correlation Analysis System).

For malware analysis, we use our MwScanner to identify the known malware, and our own developed MwDissector for malware automatic static analysis, and our own developed MwSniffer for malware automatic dynamic analysis.

For BotNet tracking, we use our own developed HoneyBot, See New Tools Section for details.

2.3 For data analysis what tools work well, and what still needs to be developed.

The standard data analysis tools are great, but need too much manual work. Walleye acts as a data fusion tool and provides very good data views for the analyzer. We have suggested focus analysis, statistical analysis and correlation analysis functions should be contained in the next generation honeynet technology.

3. LESSION LEARNED

=============================================================

3.1 Positive things share with the community.

 • Keep good relations with CERT organizations and ISPs, help them to defend the security of the Internet, they will be your sponsors and customers, and provide you the necessary test-bed and valuable data for new technology development and experiment.

3.2 Mistakes share with the community.

None, currently.

3.3 Research ideas.

 • Integration of virtual honeypots (like honeyd and nepenthes) and physical honeypots to get a scalable, lower cost/threats/labor solution, but still provide high interaction level to the novel attacks/malware.

 • Virtual honeypots technology based on OS and Network simulation (like Norman sandbox technology) and it s applications.

 • Measure security threats of Internet killer applications: WWW, Email, P2P, IM, etc. based on the client-side honeypot technology.

4. NEW TOOLS

=============================================================

4.1 New tools or technology we are working on.

HoneyBow Malware Capture Solution

1. Malware Capture Tools based on the Vmware/Physical Honeypots - MwWatcher and MwFetcher by Chengyu Song

Has been released as Open source Tools under GPL, release website: honeybow.mwcollect.org.

2. Physical Honeypots Monitor and Management Tool – PotManager by Qiushi Wang

Has been integrated into Matrix Chinese Distributed Honeynet.

HoneyBox Malware Analysis Solution

3. Malware Static Analysis Tool – MwScanner by Jinpeng Guo, MwDissector by Zhiyin Liang

MwScanner uses KAV, ClamAV, BitDefender, Trend, Kill, Rising, Kingsoft, Anity, and Jiangming engines for malware identification. It has been finished and used in the Matrix Chinese Distributed Honeynet.

MwDissector is still under research and development.

4. Malware Dynamic Analysis Tool based on API Hooking – MwSniffer by Xinhui Han and Chengyu Song

MwSniffer has been developed and used in the Matrix Distributed Honeynet.

HoneyBot BotNet Tracking Solution

5. BotNet Tracking Tool – HoneyBot by Dongzhi Cao

HoneyBot has been developed and used for practical tracking of up to thousands of BotNets, and the figures shown in Section 2 are all based on the real-time data provided by HoneyBot. It has been used in the Matrix Chinese Distributed Honeynet.

6. Matrix Distributed Honeynet UI Web Site by Jinpeng Guo, Fangfang Zhang and Yaxin Liu

The figures presented in Section 1 and Section 2 are all real-time generated figures by our Python scripts, BotNet C&C Geo-Distribution figures and BotNet Geo-Distribution figures are generated using Google Maps API and AJAX technology.

4.2 Integrate with any other tools and Collaboration.

We released our honeybow under the name of mwcollect.org.

5. PAPERS AND PRESENTATIONS

=============================================================

5.1 Presentations

 • J. Zhuge, Introduction to Honeypot/Honeynet and their applications, invited technical trainings at South China Advanced Information Security Training Class, Oct, 2006 and at CNCERT/CC, Nov, 2006.

5.2 Papers

 • J. Zhuge, X. Han, Z. Ye, W. Zou, Towards High Level Attack Scenario Graph through Honeynet Data Correlation Analysis, 7 th IEEE IAW Workshop, 2006. (did not appear because J. Zhuge's visa request was refused by US. Embassy.)

 • J. Zhuge, X. Han, Z. Ye, W. Zou, A Network Attack Plan Recognition Algorithm based on the Extended Goal Graph, Chinese Journal of Computer, 2006. (in Chinese)

 • J. Zhuge, et al, An Investigation on the Botnet Activities, submitted to HotBots 2007 but failed.

 • Five papers in submission to NetSec 2007 (in Chinese).

5.3 Are you looking for any data or people to help with your papers

 • Yes, we are looking for English native speakers to help us with our papers.

6. ORGANIZATIONAL

=============================================================

6.1 Changes in the structure of your organization.

The structure of Chinese Honeynet Project has minor change during the last period. Cheng Li left, and we have three new students joined (Jianhua Liao, Jinhui Zhong, Shixiong Zhu), now we have still 5 staffs, but 9 students now.

6.2 Your feedback on Alliance activities.

 • Jianwei Zhuge attended the 2006 Annual Get Together for the first time.

 • We took part into GDH project, and deployed the only GDH node in China .

6.3 Any suggestions for improving the Alliance?

None currently.

7. GOALS

=============================================================

7.1 Which of your goals did you meet for the last period?

 • 1. We have finished the Hades project successfully, and helped CNCERT/CC to deploy and maintain a distributed honeynet based on the open source tools and our own tools developed in the Hades project.

 • 2. We have got further funds on research of malware analysis technologies.

 • 3. We have a master student (Yan Li) working on the measurement of malicious Chinese websites using client honeypot technology and our malware dynamic analysis tool MwSniffer.

 • 4. We have written and submitted 2 English papers, got one IAW 2006 accepted, the other for Hotbots failed; and submitted 6 Chinese papers, have got one Chinese Journal of Computer accepted, other 5 for Netsec are still in the review process.

 • 5. We have reconstructed our website and contained latest contents of the honeynet community and our research. And we have constructed good relations with CERTs (CNCERT/CC and CCERT), ISPs (China Mobile, etc), and research teams (Tsinghua Unv., etc ) in China .

7.2 Which of your goals did you not meet for the last period?

 • 1. We have no further progress on the research of honeynet data analysis technology, because lack of the human/time resource.

 • 2. Although we have constructed a wildly distributed honeynet for Internet security measurement, and have collected a huge amount of data, but we have not wrote influential academic papers or KYE papers, mainly due to the lack of deep analysis of the data and the language gap.

7.3 Goals for the next six months

 • 1. Finish the new research project on automatic malware analysis; construct a powerful malware analysis platform based on our early developed tools including MwScanner, MwDissector, and MwSniffer.

 • 2. Help CNCERT/CC to enlarge the deployment of Matrix Chinese Distributed Honeynet, analyze the collected data deeply and develop data analysis tools, produce some good papers on the security trends or data analysis techniques.

 • 3. We are in the plan of writing a book on honeypot and honeynet technology in Chinese, with the aim of getting honeypot and honeynet technology accepted and used by more Chinese guys.

 • 4. We are still need more funds to cover our growing expenses, we will apply for 2007 Chinese National Information Security Plan Fund and find out other possible funding sources.

8. MISC ACTIVITIES

=============================================================

 • Finish Chinese National Information Security Plan Fund on botnet discovery and tracking project (Hades Project), Nov 2005 – Nov 2006.

 • Get a further Chinese National Information Security Plan Fund on automatic malware analysis, Nov 2006 – Nov 2007.

 •  Analysis, restrain and investigate of the Mocbot worm incident, with CNCERT/CC, Aug 2006.

 • Translated the new KYE on Web Application Honeypot into Chinese.