So it's that time of the year again, Australia's best and brightest get together to talk infosec and drink beer. I was hoping to make it to the conference this year but instead will be attending SANS Sydney SEC504 Hacker Techniques, Exploits & Incident Handling. If you will be at SANS Sydney drop me a line.
If you live in Australia, and are interested in or are working in Information Security, Ruxcon is the one event not to miss!
When: Saturday, November 20 and Sunday, November 21, 2010
Where: CQ Melbourne Function Centre (113 Queen Street, Melbourne)
Time: Doors open 9:00am on Saturday and Sunday. First presentation at 10:00am.
Cost: $80 or $75 via online registration
Here is a bunch of info about the conference from the Ruxcon site;
Ruxcon is the premier technical security conference in Australia. The conference brings together the best and the brightest security talent within the Aus-Pacific region, through a mixture of live presentations, activities and demonstrations.
Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry professionals and academics to enthusiasts. Ruxcon is unique in that it believes that a security conference should be accessible and affordable to all levels of the security industry.
Ruxcon 2010 is held over two full days (November 20 and 21) in the heart of the city of Melbourne.
There is some really great training on offer in the week leading up to Ruxcon, if I wasn't attending SANS I would have definitely considered;
- A Vigorous Introduction to Malware Analysis
- Malware Analysis for Effective Incident Response
Training (from site):
Ruxcon Training provides a unique opportunity for students to receive specialist security training not usually available in Australia. Our trainers are considered to be leading experts in their given security fields and have prior experience training students. Ruxcon 2010 is the first time training of this calibre has been offered in Australia.
Ruxcon training will take place just before the main Ruxcon conference, starting on Monday the 15th of November and ending on Friday the 19th of November.
Depending on the course, training will run over one or two day periods. Sessions commence at 9:00am and conclude at 5:00pm. For most courses, each student will receive a printed and bound training guide. Complementary catering will be provided.
Training availability is dependent on the number of bookings we receive for a given course.
|Finding Security Bugs in Closed-source Software||Halvar Flake||Beginner||2 days||18/11 - 19/11||Details|
|A Vigorous Introduction to Malware Analysis||Paul Ducklin & Pete Taylor||Beginner||1 or 2 days||18/11 - 19/11||Details|
|Web Penetration Testing - Beginner||Louis Nyffenegger||Beginner||1 day||18/11||Details|
|Web Penetration Testing - Intermediate||Louis Nyffenegger||Intermediate||1 day||19/11||Details|
|Breaking the Glass||Jonathan Brossard||Intermediate||2 days||tba||Details|
|Malware Analysis for Effective Incident Response||Nishad Herath||Intermediate||2 days||tba||Details|
|Proactive Security and Threat Intelligence||Nishad Herath||Beginner||1 day||tba||Details|
|Assurance "Hands On" Wireless Service Auditing||Neel Wise & Oliver Greiter||Beginner||1 day||tba||Details|
There were three talks that I really wanted to see, hopefully the presentations are recorded:
- Mark Chaffe
The Australian Internet Security Initiative - Fighting Botnets at the Source
- Alex Tilley
This Job makes you Paranoid
- Matthew de Carteret
Ghost in the Shell(code)
Presentation Schedule: Can be viewed here
This update is long overdue, work and other things seem to have been taking up more time lately. Over the past month and a half an amazing amount of attack data has been captured, far exceeding what I imagined would be seen. Therefore, Dionaea has firmly cemented its place in my research environment going forward.
- 110038 total connections
- 664 malware samples captured - 141mb total
- large amount of shellcode captured - 20mb total
- wide distribution of attack sources - 55 countries total
Ok first up is the attacks by country, again I was surprised by the dispersion between countries. The top five attacking countries to date are;
Pie of Pie chart showing all countries that have successfully attacked my Dionaea install;
Finally here is a Geo Map representing the attack data displayed above;
Next up is the port distribution of the successful attacks on the honeypot;
It is interesting to note from the pie chart above that almost half of the successful attacks were on port 135 (49%) with port 445 (36%) following a close second. This totaled 85% of all successful attacks on the Dionaea system.
As for malware that was captured over the period to date, lots of interesting samples have been received. Overall Conficker, Virut, Virtob, Allaple and Kido were the main offenders. Some interesting one off samples were received however such as Trojan.Spy.XXP, Win32.Sality.OG, and Packer.RLPack.D which appears to be Trojan-Banker.Win32.Banker.cxx. Nasty nasty stuff. As with my previous tests I ran BitDefender over the binaries folder and was surprised by the results;
Infected files: 512
Suspect files: 10
Identified viruses: 512
With ten files being 'suspect' that leaves us with 142 samples that were not detected as malicious by BitDefender. When I have more time I will have the rest scanned against another engine and the results recorded, for now the data that I have will do. With my next deployment I am hoping to have multiple AV engines running a scan as each sample is downloaded, then logging that data into SQL or similar. I am also hoping to have this done for IP Geolocation, will save myself a lot of time.
In the next few weeks I would like to get familiar with the Thematic Mapping API, looks very exciting. If anyone has any information they would like to share about security visualisation please leave a comment, I am looking for cool new tools to play with. Especially ones based around Geolocation.
On another note I recently upgraded the main server in my research environment thanks to some cheap hard disks from my flatmate (Thanks dude!). I desperately needed some more space for snapshots and also needed room to deploy some more virtual machines. Over the next few weeks I will be rebuilding my honeynet and pentesting environments
I am also very keen to play with Kippo as well. I have seen great results from Andrew Waite - Infosanity, Miguel - Diatel and Tomasz Miklas - CTRL ALT DEL. Nothing like seeing a real attack happen in real time.
The first 24 hours of my Dionaea installation's life was interesting to say the least. During this time there was a significant amount of traffic that was being generated from a single IP address in China (AS4134 - CHINANET-BACKBONE No.31,Jin-rong Street), approximately eighty nine thousand attempted connections in a 24hr period, all directed at port 1433. The number of connections from other countries was relatively low in comparison (< 100). Below is a time line representing the number of attempted connections per hour over the 24hr period:
Next up is the number of successful connections, I really like the level of detail that Dionaea provides, especially with the sqlite logging. All I need to do is get the p0f ihandler going, and also get some form of geo location happening automatically and I will be happy:
Next up we have a breakdown of the malware samples received during the 24hr period. Three unique samples were seen during this time as follows:
Initially when I had observed the volume of attack information coming in from a single IP address to a single port, I assumed there may have been something a bit more than meets the eye going on. Apparently not! Thanks to Markus from Carnivore.it for making contact with me and taking a look at the sqlite database. Seems the persistent IP that was hitting the honeypot wouldn't take no for an answer when SQL wasn't offered. The traffic coming in from this particular IP has now stopped and lots of other great attack data is flowing in.
From what I have seen so far Dionaea is definitely going to be running in my research environment for a long time to come. It's going to take a bit of time to get the most out of the system but already things are looking very promising. Stay tuned for the 30 day detailed summary of Dionaea's performance.
Over the weekend I plan to attempt some basic malware analysis on one of the binaries my Dionaea installation has captured. Have a nice weekend
After a lot of reading, a few very late nights, and a fair bit of indecision I decided to install Dionaea. It was down to mwcollectd or Dionaea as my next choice for a 30 day test, but I had quite a few issues getting mwcollectd running properly. I think this is mostly due to my lack of experience compiling stuff in linux, and also not understanding what to do when things fail or don't compile as expected. So I moved on and began to follow Markus' extensive Dionaea install documentation.
My first few attempts failed, in epic fashion. Initially for some unknown reason I decided to install Python 3 from testing... even though the documentation says to compile it. This brought up issues with sqlite3, again frustrating but a good learning experience. Follow the doco! In the end I had to make a slight modification to the ./configure script when compiling Dionaea, as Cython was not being found. Other than that the install was very smooth. I installed Dionaea under Debian 64bit, chose KDE graphical install and left the 'Standard System' and 'Desktop Environment' options checked.
I thought it would be a good idea to post the steps I took to install Dionaea, not sure if it is of use to anyone else. It's basically just a rehash of Markus' documentation.
1. Stuff from APT
apt-get install libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev python-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config
2. gettext / glib
apt-get install gettext
tar xfj glib-2.20.4.tar.bz2
git clone git://git.carnivore.it/liblcfg.git liblcfg
git clone git://git.carnivore.it/libemu.git libemu
5. libnl (optional)
git clone git://git.kernel.org/pub/scm/libs/netlink/libnl.git
tar xfz libev-3.9.tar.gz
tar xfz Cython-0.12.1.tar.gz
python setup.py build
python setup.py install
apt-get install sqlite3
9. Python 3.1.2
tar xfz Python-3.1.2.tgz
./configure --enable-shared --prefix=/opt/dionaea --with-computed-gotos \
apt-get install libxml2-dev
aptitude install libxslt1-dev
tar xfz lxml-2.2.6.tgz
/opt/dionaea/bin/2to3 -w src/lxml/html/_diffcommand.py
/opt/dionaea/bin/2to3 -w src/lxml/html/_html5builder.py
/opt/dionaea/bin/python3 setup.py build
/opt/dionaea/bin/python3 setup.py install
tar xfz udns_0.0.9.tar.gz
cp udns.h /opt/dionaea/include/
cp *.so* /opt/dionaea/lib/
ln -s libudns.so.0 libudns.so
14. Curl & C-ares
tar xfz c-ares-1.7.3.tar.gz
tar xfj curl-7.20.0.tar.bz2
tar xfz libpcap-1.1.1.tar.gz
16. Dionaea (with my own changes on the Cython line from '/usr/local/bin' to '/usr/bin')
git clone git://git.carnivore.it/dionaea.git dionaea
./configure --with-lcfg-include=/opt/dionaea/include/ \
./dionaea -l all,-debug -L '*'
Within moments of launching Dionaea connection attempts began pouring in, mostly rejected attempts. After around 30 minutes the first sample was received along with some interesting colours flying past - looking forward to going through the logs later this evening. Now all that's left to do is get the p0f ihandler turned on. So far things are looking promising.
Getting Dionaea up and running has been a great experience. I've learned a lot about compiling, dependencies, issues, and Debian in general. I'm very keen to see what kind of information it can produce over the coming month.
*update: 27th November 2010 - Updated Dionaea Install Instructions
Following on from my post last week, today marks the beginning of National Cyber Security Awareness Week in Australia. As mentioned previously, I have decided to post links to some good cyber security awareness resources for general internet users:
'Anti-Phishing Phyllis teaches users how to recognize phishing traps indicative of fraudulent emails. With phishing attacks on the rise, this is a training game that every employee and customer should play.'
'The following page provides information and tips on using social networking sites safely, dealing with cyber bullying and online grooming and how to secure your mobile phone as well as links to other resources.'
'Cybersmart provides activities, resources and practical advice to help young kids, kids, teens and parents safely enjoy the online world. Cybersmart also offers training and resources for schools and materials for library staff. Developed by the Australian Communications and Media Authority, Cybersmart is part of the Australian Government’s cybersafety program.'
'The small business self-assessment tool is designed as a guide to provide your business with appropriate measures to improve your online security.'
'SCAMwatch is a website run by the Australian Competition and Consumer Commission (ACCC). SCAMwatch provides information to consumers and small businesses about how to recognise, avoid and report scams.'
The Australian Government’s cyber security website provides information for Australian internet users on the simple steps they can take to protect their personal and financial information online.
The better educated that users are about the risks and threats present on the internet, the less chance they will fall prey to the bad guys. To recap from my previous post, here are the six simple tips for better online security from the governments Stay Smart Online website;
1. Install security software and update it regularly.
2. Turn on automatic updates so that all your software receives the latest fixes.
3. Get a stronger password and change it at least twice a year.
4. Stop and think before you click on links or attachments.
5. Stop and think before you share any personal or financial information—about yourself or your friends and family.
6. Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.
Next Monday marks the beginning of National Cyber Security Awareness Week in Australia, an annual initiative of the Department of Broadband, Communications and the Digital Economy.
National Cyber Security Awareness Week is held in partnership with industry, community and consumer groups and state and territory governments.
This year the week will promote six simple tips for better online security:
- Install security software and update it regularly.
- Turn on automatic updates so that all your software receives the latest fixes.
- Get a stronger password and change it at least twice a year.
- Stop and think before you click on links or attachments.
- Stop and think before you share any personal or financial information—about yourself or your friends and family.
- Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.
To mark the beginning of the week I will be posting links to some great cyber security awareness resources that I have come across in recent times. These can be passed to friends and family, to assist them to better understand the ever present threats and dangers on today's internet.
For a while I have needed to upgrade my home research lab environment. I have been running multiple Pentium 4 machines which is not effective in terms of the time spent setting up and deploying the systems, and also the large amount of power consumption.
So I decided to purchase a rack mount server and deploy VMware ESXi. I managed to pick up a Dell Poweredge 1950 1RU server for AU$900 with 2x Dual Core Xeon 5130's (2Ghz). To that I have added a further 8GB of DDR-2 ECC RAM, bringing the server up to 10GB in total.
Firstly, I must say WOW. ESXi and the vSphere Client has cut my deployment time down by such an amount that the time it takes to deploy a system is negligible. Sure I spent a bit of time setting up my templates, and routing with Vyatta (I will expand on this topic in a later post). Overall the process has now gone from painful to painless.
Anyway enough of that, let's get back on topic. Now that my research environment had been upgraded I thought I would take it for a test run, deploying the Nepenthes honeypot for 30 days to see what kind of activity is captured. I will go into detail in a later post about my specific Nepenthes system configuration, but in short I run Debian Lenny 64bit (minimal) and use 'apt-get install nepenthes' to perform the install. Always works like a charm.
The honeypot ran for 30 days in Eastern Australian IP space. Here is an excerpt from Andrew Waite of InfoSanity's submission2stats.py python script:
Statistics engine written by Andrew Waite - www.InfoSanity.co.uk
Number of submissions: 117
Number of unique samples: 34
Number of unique source IPs: 81
Days running: 30
Average daily submissions: 3
So as can be seen above, quite a bit of activity was captured. A breakdown of the number of malicious samples received per country is below:
Here is the data above represented in a Geo Map:
I was surprised with the country dispersion, I really didn't expect Japan to top the list.
The top five country's in order are:
- Australia / Thailand
Next I needed to run the binaries that had been captured through a virus scanner to see what was there. BitDefender is nice and easy to install on Debian as follows:
sudo nano /etc/apt/sources.list
Add the line:
deb http://download.bitdefender.com/repos/deb/ bitdefender non-free
Then the following commands to download and import the key, update APT, and then install BitDefender;
sudo wget http://download.bitdefender.com/repos/deb/bd.key.asc
sudo apt-key add bd.key.asc
sudo apt-get update
sudo apt-get install bitdefender-scanner
The scan can then be run shell, the log will be placed in your Nepenthes log folder (/var/log/nepenthes):
sudo bdscan --log=/var/log/nepenthes/scan.txt /var/lib/nepenthes/binaries
BitDefender detected 32 of the 34 samples as infected. The two samples that were reported as 'OK' by BitDefender were uploaded to Virus Total to identify their type:
Number of submissions: 117
Number of unique samples: 34
Number of unique malware types: 11
Some interesting information has been captured over the past thirty days. Nepenthes is a great tool for capturing malware and associated attack information. Over coming weeks I will pick a sample from the malware captured during this run & perform basic analysis of the binary. I am very new to reverse engineering but as the saying goes "Nothing ventured, nothing gained."
I have started this blog to help document research, tools and techniques. I am currently studying information security and have found a lot of value in postings by others who are also walking the info sec learning path.
Next on the radar: