Australian Honeynet Project

In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.

So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.

Without further ado, here is a video of about a week's worth of SPAM on the planet Earth:

When zooming in on Europe, notice the 'Blue Banana', which is a discontinuous corridor of urbanisation in Western Europe is once again evident, as it was with the European heatmap. From North West England to Milan, 90 million people live in this corridor, and evidently a fair few of them have computers that send us SPAM. They call it a banana because of it's curvature but I've no idea why its blue.

We were hoping to see a 'follow the sun' aspect emerge, thinking that as people turn their computers off and go to bed, less spam will come from infected hosts in that timezone. This sounds reasonable, but it really only shows up to a fairly small degree in the video. It seems people don't turn infected hosts off at night. SPAM it seems, is 24x7.

We've also done the same technique for the location of network borne malware (worms) seen by our Australian SensorNET, in fact dataset with an IP and a timestamp - we can create a video of now. Feel free to contact us if you have an interesting dataset.
I used a product called 'logster' to do these videos, it is designed to read weblog files so that you can get an idea of who and when people visited your website. However you can use any dataset with an IP and timetamp, and parse it to make it look like an apache weblog file easily enough. This is what we (Thanks DavidZ) did with our nepenthes and SPAM data sets. Logster is another good analysis tool to have in the kit.

If you have a SPAM feed you would like to provide to the project, please email us at contact@honeynet.org.au

In part 2 of our VOIP phoneynet blog series, we look at some very high level details of the results we've seen to date.

As quick background, we decided to deploy VOIP honeypots for 2 reasons:

To get a feeling for the extent of network scanning being conducted against VOIP services in the AU network space. By network scanning, we mean probes by persons unknown to determine if there is a VOIP server available.

To trial some early generation VOIP honeypot technologies. These systems are so called 'low interaction' honeypots, in that only provide trivial functionality. They do not interact, or trick the miscreant into making calls or anything similar, they simply log attempts to connect.

The Internet location of the VOIP phoneypot is an important facet of the whole idea behind the Phoneynet. We use IP addresses that are not advertised anywhere as having providing VOIP services, so we can say that any attempt to probe this IP is an opportunistic 'discovery/reconnaissance' phase, as there is no other reason to try to connect to VOIP on the IP of the phoneypot! The initial probe would potentially lead to further nefarious activity (if indeed our honeypot was a real VOIP server). With regard to what the bad guys may use a compromised VOIP service for - we will cover some of this in Part 3 of this blog series.

After the initial setup was complete in March 2009, we waited a few weeks for the first interesting scan. Since then, we probably get only about one scan scan every few weeks. This amount of activity surprised me, as I'm used to looking at our sensornet activity, which sees multiple attacks per day. I really think VOIP scanning/hacking is in it's very early days, and as an underground market for compromised VOIP servers develops - we should expect to see more of these scans

Here is a map of the IP's that scanned the honeypot.
(click to enlarge)


Yes, that is Nairobi in Kenya.

The very first scan was interesting, and worthwhile highlighting. Logs are shown below.

---

----------------------------------------------2009-04-05 02:16:21
UDP message received [413] bytes :
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben):5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious"; tag=37626633376535343133633401323433373135323539
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
-----------------------------------------------
Unexpected UDP message received:
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben) :5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious"; tag=37626633376535343133633401323433373135323539
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
----------------------------------------------

---

The first thing that struck me was 'sipvicious'?? Oh I see, its a cute reference to the SIP protocol and the famous Sex Pistols member, Sid Vicious (read more about Sid here)
This led me to visit Sandro Gauci's website http://sipvicious.org. Sandro is a whitehat VOIP security provider. Security professionals would be familiar with 'must have' security audit tools such as 'nmap' and 'nessus' and many others. These tools are used by the both the good guys and the bad guys. Good guys use them to conduct 'penetration testing' of Internet systems in an effort to discover problems and fix them up. Bad guys can also use these same tools to discover these weaknesses before they are fixed up.

'Sipvicious' is basically a VOIP security auditing tool, offered by Sandro (a white hat) so that the good guys can learn more about their vulnerabilities and fix them before they are used by the bad guys, note the 'User-Agent: friendly-scanner' in the logs above, this is the default action of Sipvicious.
Now, I have no idea as to the motivation of the persons who pointed sipvicious at our honeypots. But I believe that they are opportunistic scans by a miscreant, so that they may be examined further to determine for vulnerabilities.

In summary, the takeway points from this blog are:
- VOIP scanning in Australia does exist.
- Tools and techniques used by the white hat community are also used by the miscreant.

Next up in this Blog series:
VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"

---

We are the Australian Honeynet Project:
- Shaun Vlassis
- Ben Reardon
- David Zeliezna

Founded in Jan 2008, the Australian Honeynet Project supports the mission of understanding the tools, tactics and motives of those who represent a cyber threat. We share our findings with other security researchers and Law Enforcement authorities. We hope our activities will benefit Australian citizens who make legitimate use of the Internet. Our broad aim is to help make the Internet a safer place for end users.

Essentially the Australian Honeynet Project is a community based 'For Public Good' project, we currently have three core members who guide and maintain the project.

We also have 'contributors' who provide advice, intelligence, data and resources to the project. Contributors can participate for as long as they desire. We try to match contributor's skills and resources up with pieces of work we need done at the time.
Work on the project is done in our spare time and as private citizens. We do not receive wages or other payments for our work. We are not affiliated, guided by or indebted to any commercial or government entity - be they sponsors, contributors or employers. This is our most important ethos, because it allows us to maintain our independence to develop the project without outside pressures, and keep the public good as our primary concern.

Read more about us here.

---