Table Of ContentUsing Honeypots to Analyze Bots and
Botnets
Eirik Falk Georg Bergande
Jon Fjeldberg Smedsrud
Master of Science in Communication Technology
Submission date: June 2007
Supervisor: Svein Johan Knapskog, ITEM
Co-supervisor: André Årnes, Kripos
Norwegian University of Science and Technology
Department of Telematics
Problem Description
The students will continue their honeypot-project started in the fall of 2006. The existing honeypot
setup will be expanded and further enhanced for collecting and analyzing honeypot data. The
experiments will be aimed towards the area of botnets, including automated and manual attacks.
A combination of low and high interaction honeypots will be used as parts of an adaptable solution
to obtain the best possible security relevant measurements and thereby gain increased knowledge
of malicious traffic on the internet.
Assignment given: 17. January 2007
Supervisor: Svein Johan Knapskog, ITEM
Abstract
In this Master thesis we will perform honeypot experiments where we allow malicious users
access to systems and analyze their behaviour. Our focus will be on botnets, and how
attackers progress to infect systems and add them to their botnet. Our experiments will
include both high-interaction honeypots where we let attackers manually access our system,
and low interaction-honeypots where we receive automated malware. The high-interaction
honeypots are normal Linux distributions accessing the internet through a Honeywall that
captures and controls the data flow, while the low-interaction honeypots are running the
Nepenthes honeypot. Nepenthes acts by passively emulating known vulnerabilities and
downloading the exploiting malware.
The honeypots have been connected to both the ITEA and UNINETT networks at NTNU. The
network traffic filtering on the IP addresses we have received, has been removed in order to
capture more information. Installing the honeypots is a rather complicated matter, and has
been described with regard to setup and configuration on both the high and low interaction
honeypots.
Data that is captures has been thoroughly analyzed with regard to both intent and origin. The
results from the high-interaction honeypots focus on methods and techniques that the
attackers are using. The low-interaction honeypot data comes from automated sources, and is
primary used for code and execution analysis. By doing this, we will gain a higher degree of
understanding of the botnet phenomenon, and why they are so popular amongst blackhats.
During the experiments we have captures six attacks toward the high-interaction honeypots
which have all been analyzed. The low-interaction honeypot, Nepenthes, has captured 56
unique malware samples and of those 14 have been analysed. In addition there has been a
thorough analysis of the Rbot.
Acknowledgements
This thesis is written by Eirik Bergande and Jon Smedsrud, but it would not have been
completed without contribution from several people. We would like to thank the following
people for helping us:
• Professor Svein Johan Knapskog for his guidance and help in shaping this Master
thesis.
• PhD André Årnes for valuable input, guidance during the writing and proofreading the
report.
• David Watson, head of the UK honeynet project, for helping us setting up the
Nepenthes server.
• Pål Sturla Sæther and Asbjørn Karstensen for supplying us with all the equipment we
needed during our experiments.
• ITEA and UNINETT for letting us use their IP-range.
• Ph.D Crina Grosan for translating Romanian IRC chat logs to English.
I
II
Content
Abstract.......................................................................................................................................I
Acknowledgements.....................................................................................................................I
Content.....................................................................................................................................III
List of Figures...........................................................................................................................V
List of Tables.............................................................................................................................V
Abbreviations...........................................................................................................................VI
1 Introduction........................................................................................................................1
1.1 Scope..........................................................................................................................1
1.2 Background................................................................................................................1
1.3 Description.................................................................................................................2
1.4 Structure.....................................................................................................................2
2 Honeynet and honeypots....................................................................................................5
2.1 Honeypots...................................................................................................................5
2.2 Honeynet....................................................................................................................5
2.3 The Nepenthes honeypot............................................................................................9
3 Botnet introduction...........................................................................................................11
3.1 Initial propagation....................................................................................................12
3.2 Execution – the life of the bot begins.......................................................................14
3.3 Controlling the bots..................................................................................................15
3.4 Functionality and services........................................................................................16
3.5 Motives and economics............................................................................................19
4 Botnet trends....................................................................................................................21
4.1 IRC and Domain Name Service...............................................................................21
4.2 Instant Messaging C&C channels............................................................................22
4.3 Web based C&C Servers..........................................................................................22
4.4 Drop Zones and FTP based C&C Servers................................................................23
4.5 Proprietary backdoor C&C channels........................................................................23
4.6 P2P Botnet C&C channels.......................................................................................23
5 Implementation.................................................................................................................25
5.1 Honeynet Implementation........................................................................................25
5.2 Honeypots.................................................................................................................26
5.3 Nepenthes Implementation.......................................................................................28
5.4 Sandnet Analysis Implementation............................................................................30
6 Digital Forensics and Data Analysis................................................................................39
6.1 Data Acquisition.......................................................................................................39
6.2 The Analysis.............................................................................................................41
7 Analysis of the Linux Honeypots.....................................................................................45
7.1 Method.....................................................................................................................45
7.2 Incident Response Plan............................................................................................45
7.3 2007.03.25................................................................................................................48
7.4 2007.04.12................................................................................................................51
7.5 2007.04.25................................................................................................................53
7.6 2007.04.28................................................................................................................56
7.7 2007.04.29................................................................................................................60
7.8 2007.05.04................................................................................................................62
7.9 Summary of the analysis..........................................................................................64
8 Analysis of the Windows Malware..................................................................................69
III
8.1 Sandnet analysis.......................................................................................................69
8.2 Internet analysis........................................................................................................70
8.3 Checklist...................................................................................................................72
8.4 Overview of the Downloaded Nepenthes Malware.................................................74
8.5 Analysis of 8b40c17c0fd9756bf5e9938786962acd.................................................82
8.6 Analysis of c1143d2c458c6ddcf747cf1d07939cfc..................................................85
8.7 Analysis of e9041725b72dff55ec06efd5eb689c4c..................................................89
8.8 Analysis of ed82850e0ff267b4bf662425ba1a6f1f...................................................92
8.9 Analysis of fdec684b580dbb268fa304c485756af9..................................................95
8.10 Analysis of 0ce21e7ea9743f64774df29d47c138c2.................................................99
8.11 Analysis of 5bfd3657259a3f26d00f242487037304...............................................103
8.12 Analysis of 9fea785ca9ef38f32fbdd1ad5b64eea0.................................................107
8.13 Analysis of 41a75fcf84086198bd29ee34e40fcf85.................................................110
8.14 Analysis of f5abfc06a5088f9b0752f786b484024d................................................114
8.15 Analysis of d98b3e6f3425c088934c5005cc3e823e...............................................118
8.16 Analysis of 69fe26256de0d2c718ebd4943822271c..............................................121
8.17 Analysis of b77e035efb29c37cd3bec9ee174daa9b...............................................125
8.18 Analysis of d29188b4e836e52cc45e004ef948389f...............................................131
8.19 In-depth analysis of the RBot.................................................................................133
8.20 The collected Rbot from our Nepenthes honeypot.................................................135
8.21 Summary of the analysis........................................................................................141
9 Conclusion......................................................................................................................149
10 Future Studies.............................................................................................................151
References:.............................................................................................................................153
Web references:......................................................................................................................155
Figure references:...................................................................................................................157
Appendix A: Lab equipment overview............................................................................158
Appendix B: Extracting Sebek data from the Honeywall................................................159
Appendix C: Translated IRC Log from March 25-26.....................................................160
Appendix D: Honeywall Web interface – Walleye.........................................................169
Appendix E: HONEYWALL.CONF...............................................................................172
Appendix F: Command Reference for the Rbot..............................................................179
Appendix G: The RxBot2006 C++ files..........................................................................186
Appendix H: Tenpo.bat and 1.reg – Rbot Registry Changes...........................................190
Appendix I: Nepenthes installation....................................................................................194
Appendix J: Thwarting VMware detection mechanisms....................................................195
Appendix K: Overview of the Rbot Source Files............................................................196
Appendix L: Rbot logged in to the IRC test server.........................................................197
IV
List of Figures
Figure 1: Honeynet Architecture [fig1]......................................................................................6
Figure 2: Bots and botnets [fig2]..............................................................................................12
Figure 3: Infection/propagation methods [fig2].......................................................................13
Figure 4: Honeynet lab.............................................................................................................27
Figure 5: The honeynet lab.......................................................................................................27
Figure 6: Sandbox picture of psax............................................................................................58
Figure 7: Sandbox picture of SSH scanner execution..............................................................58
Figure 8: Inbound connections toward 129.241.189.2, ITEA..................................................65
Figure 9: Inbound connections toward 158.38.144.2, UNINETT...........................................66
Figure 10: Inbound connections toward 129.241.189.3, ITEA................................................66
Figure 11: Inbound connections toward 158.28.144.3, UNINETT.........................................67
Figure 12: Inbound connections on all honeypots...................................................................67
Figure 13: Number of SSH scan towards the honeynet...........................................................68
Figure 14: We are logged in to one of our test bots.................................................................70
Figure 15: Infection notice for installing Adware..................................................................126
Figure 16: Registry Cleaner...................................................................................................127
Figure 17: Desktop after infection.........................................................................................130
Figure 18: Malware size.........................................................................................................144
Figure 19: DNS C&C Servers................................................................................................144
Figure 20: IP adresses C&C Servers......................................................................................145
Figure 21: Ports used by C&C Servers..................................................................................145
List of Tables
Table 1: Nepenthes honeynet server modules..........................................................................10
Table 2: Filenames and hashes from the attack, 2007.03.25....................................................48
Table 3: Filenames and hashes from the attack, 2007.04.12....................................................51
Table 4: Filenames and hashes from the attack, 2007.04.25....................................................53
Table 5: Filenames and hashes from the attack, 2007.04.28....................................................56
Table 6: Filenames and hashes from the attack, 2007.04.29....................................................60
Table 7: Filenames and hashes from the attack, 2007.05.04....................................................62
Table 8: Malware samples received on both network with infection date.............................142
V
Abbreviations
CD Compact Disc
DDoS Distributed Denial of Service
DNS Domain Name Server
FTP File Transfer Protocol
HTTP HyperText Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IIS Internet Information Services
IP Internet Protocol
IPS Intrusion Prevention System
IRC Internet Relay Chat
ISP Internet Service Provider
ITEA IT-seksjonen ved NTNU
LAN Local Area Network
LCD Liquid Crystal Display
MAC Medium Access Control
MD5 Message-Digest Algorithm 5
MSN Microsoft Network
NetBIOS Network Basic Input/Output System
NTNU Norges Teknisk-Naturvitenskapelige Universitet (Norwegian University of
Science and Technology)
OS Operating System
P2P Point-to-point
PC Personal Computer
PHISHING Password Harvesting Fishing
RPC Remote Procedure Call
SANS SysAdmin, Audit, Network, Security Institute
SCP Secure Copy
SHA-1 Secure Hash Algorithm 1
SMB Server Message Block
SOCKS SOCKetS
SQL Structured Query Language
SSH Secure Shell
SSL Secure Socket Layer
TCP Transmission Control Protocol
TTL Time to Live
UDP User Datagram Protocol
URL Uniform Resource Locator
VI
Description:IRC Internet Relay Chat ISP Internet Service Provider ITEA IT-seksjonen ved NTNU LAN Local Area Network LCD Liquid Crystal Display MAC Medium
