Australian Honeynet Project

Late in July 2010, we assessed over 21 solutions that were submitted to the Forensic Challenge on VOIP.

The solutions were exceptionally high quality. It is fair to say that we all learnt a lot about this emerging threat in the process of preparing this challenge.

Congratulations to the winners:
- Franck Guenichot (France)
- Fabio Panigatti (Italy)
- Shaun Zinck (USA)
You can download these solutions, here on the main challenge webpage.

Even though the official challenge is over, you are free to download the challenge and try it yourself at any time. Feel free to send your solution in for review also.

I really enjoyed the process of the Challenge, it was an awesome global team effort to prepare, translate, mark and generally organise FC4.

Some of you seem hooked on the challenges, and it is fantastic to start seeing the same names appearing on successive challenges, so watch out for FC5 which is due out soon!

ben

We are pleased to announce that the next Honeynet Project Forensic Challenge has been released: "Forensic Challenge 4 - VOIP". If you've been following my VOIP blog series here, you might be interested in taking up the challenge.

Designing the challenge was a joint project with Sjur Usken from the Norwegian chapter. I've been working with Sjur on VOIP honeynet research since last year's annual workshop in KL. For the forensic challenge, we had assistance from several other chapters who provided some valuable feedback, so it was a great all round team effort.

Also of note is that for the first time, we've had the challenge translated into Chinese (both Simplified and Traditional versions). This was carried out by Julia Cheng from the Taiwan chapter, Jianwei Zhuge from the China chapter and Roland Cheung from the Hong Kong chapter. The translation was not a trivial task, so a special 谢谢 (thank you - Traditional CN) and 謝謝 (thank you - Simplified CN) to those involved.

Best of luck, and enjoy the challenge!
"謝謝，請多多指教"
ben

Our Annual workshop was held last week at UNAM University in Mexico City, which is an inspiring venue.

The workshop enables chapters from all over the globe to meet, discuss ideas, share experiences and develop our toolsets for data collection and data analysis. It is an extremely valuable and unique event, where chapters from around 20 countries find the time to attend the 4 day workshop. The type of collaboration that is fostered during these workshops just cannot occur to the same extent online, so the workshop is the highlight of the year for us.

The Australian Chapter contributed to the workshop by presenting on our work over the last year in the following areas:
- Visualization
- VOIP honeypots, and how they react to VOIP scanning/cracking tools
- Sandbox tools
- Defacement monitoring

This year, we were also lucky to get advice on blogging from renowned security journalist Brian Krebs and also learnt some presentation tips from our own Lance Spitzner.

A big "Muchos Gracias" goes to our hosts from the UNAM Chapter. They really went our of their way to make sure we were all looked after, and this made the whole experience so much more valuable and enjoyable.

We are happy to report that on March 18, Google accepted the Honeynet Project's GSOC 2010 application. We are now one of the 152 Mentor organizations working busily on project ideas and chatting to prospective students in preparation.

View our current project ideas here, remember that these ideas can come from anyone, so if you have a good idea - please don't be afraid to put it up for consideration (nothing ventured, nothing gained!) We also highlight this is a global effort, students from many countries (including Australia) can participate. Visit the google GSOC FAQ's here, which includes the eligibility requirements.

The next phase of the project is the student application period, which extends through to April 9. View the full timeline here.

Please also drop in our IRC channel #gsoc-honeynet on irc.freenode.net if you have any questions, or are interested in getting involved. We have honeynet chapter members in a good spread of timezones, so there will always be one us to help with queries.

ben

Backing up from our successful debut in Google's "Summer Of Code" initiative GSOC 2009, The Honeynet project have applied to be part of the upcoming GSOC 2010 program.
For details of our submission (and a summary of last year's program) refer to our main GSOC site.

We will find out if our application is successful on March 18th, when hopefully we will begin refining the project ideas, and chatting to prospective students.

Feel free to drop in our IRC channel #gsoc-honeynet on irc.freenode.net if you have any questions.

ben

There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

Here are some potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

Financial gain

Political

Religious

Reputation and ego of the hacker

Intellectual Property theft, Trade Secrets

Espionage

Retribution, commercial or personal

Vandalist, miscreant activity (bored youth..)

I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

Cheap overseas calls / calling cards.
One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
Here is a brief overview of a simple version of the scam:

The crook controls a hacked VOIP system in (say) Australia. This means that they can accept and redirect calls, and essentially control every aspect of that phone system.

The crook sells 'calling cards' to citizens of another country that live in, or are visiting Australia. The card allows them to call home at ridiculously cheap rates, a tiny fraction of the cost of a legitimate overseas call.

The buyer of the calling card is instructed to call a local (probably legitimate) number in Australia and then enter in the international number they are trying to reach. The crook then reroutes these calls through VOIP to the hacked system, which then makes the international call. This functionality could potentially be turned off periodically to evade being uncovered, and could even be configured to only use the hacked VOIP server for calls to a specific set of countries.

The buyer of the calling card of course could not be aware that the call was routed through a hacked VOIP system, they are just happy to have spoken to family and friends at a cheap rate.

Note also that it is entirely possible for the calls to be re-routed through an entire chain of hacked VOIP servers in more 2 or 3 different countries, effectively 'laundering the call' by making it harder to track down if an investigation is ever launched. Jurisdictional/timezone/culture and language differences are some of the most challenging hurdles faced by cybercrime investigators, and the crooks know how to take advantage of this (I aim to explore these aspects in a later instalment of this blog series)

The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

Premium rate number calling
This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

The scam is fairly simple.

Crook has control of hacked VOIP system(s) for which the victim gets bills for on a monthly basis. This VOIP system may belong to a corporate entity, and so may be capable of making many concurrent calls.

The crook has a premium rate 1900 number, for which they collect revenue on a weekly or daily basis.

Crook gets the hacked VOIP system to make multiple, repeated calls to the 1900 number, thus adding to the account of the 1900 number, at the expense of the owner of the hacked VOIP system.

Crook collects the revenue from the 1900 number every day/week until someone notices.

In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

Future threat – Denial of Service
The motive behind this attack could probably be any of the ones listed above.
I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
This area needs much more research and consideration from authorities much better funded and capable than us, and yes we are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at ben@honeynet.org.au with any feedback, or input into the next one.

Shown below is a visual of a time series analysis representing malicious activity reported by our 6 most active and reliable SensorNET honeypots. These honeypots have been deployed for between 9 months and 2 years in the Australian IP space. our honeypots are designed to detect malicious network activity in a passive and safe manner, you can read more about the background of our SensorNET here.

CLICK to enlarge.

Each one of these blue dots represents a group of other people's compromised computers attempting to compromise our honeypots in an effort to get it to join a botnet. All of this happens in the background, and does not require any action by the owner of the computer, or even for them to be sitting at the compromised computer.
Some of these attacks come from computers in Australia, and many come from other countries as well. We have done some visual analysis on the location of these attackers in past blogs using geographric heatmaps here and with a tool called Circos here.

While there are a lot of factors involved in malicious activity on the internet. I tried to keep it simple, and this visual does a reasonable job of helping us understand when malicious network activity peaks.

Relatively little activity is seen in the early hours between 3am and 7am. Then we see a substantial, and consistent uptick in activity on every day between 8am and 9am. This may be caused by people turning on infected PC's, which then go and scan for new victims at this time. Throughout the day, activity generally increases, peaking around the middle of the night. The old adage 'beware the midnight hour' seems to be applicable even on the internet (Hence the spooky green bar graph, just for fun).

From our results, it appears just after midnight on Friday and Thursday nights would probably be the most dangerous time for an unattended, insecure computer to be on the Australian internet. Of course there is actually no 'safe' time for such a computer to exist on the Internet, but it is interesting to do this analysis.

Each one of these attacks is preventable by using a proper firewall, good practice, antivirus, and security patches. To avoid contributing to the blue dots on this visual, read AusCERT's advice here on how to best to protect your computers.

Helping to understand our cyber threat environment so that decisions on mitigations/controls are better informed is really one of our key goals, particularly as plans are under-way for the roll-out of the $43 billion Australian National Broadband Network, which will clearly need to consider cyber security as a major stakeholder.

If you have a similar dataset that you are interested in studying in this manner, send me an email at ben@honeynet.org.au

In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.

So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.

Without further ado, here is a video of about a week's worth of SPAM on the planet Earth:

When zooming in on Europe, notice the 'Blue Banana', which is a discontinuous corridor of urbanisation in Western Europe is once again evident, as it was with the European heatmap. From North West England to Milan, 90 million people live in this corridor, and evidently a fair few of them have computers that send us SPAM. They call it a banana because of it's curvature but I've no idea why its blue.

We were hoping to see a 'follow the sun' aspect emerge, thinking that as people turn their computers off and go to bed, less spam will come from infected hosts in that timezone. This sounds reasonable, but it really only shows up to a fairly small degree in the video. It seems people don't turn infected hosts off at night. SPAM it seems, is 24x7.

We've also done the same technique for the location of network borne malware (worms) seen by our Australian SensorNET, in fact dataset with an IP and a timestamp - we can create a video of now. Feel free to contact us if you have an interesting dataset.
I used a product called 'logster' to do these videos, it is designed to read weblog files so that you can get an idea of who and when people visited your website. However you can use any dataset with an IP and timetamp, and parse it to make it look like an apache weblog file easily enough. This is what we (Thanks DavidZ) did with our nepenthes and SPAM data sets. Logster is another good analysis tool to have in the kit.

If you have a SPAM feed you would like to provide to the project, please email us at contact@honeynet.org.au

Greetings everyone

Recently on the train to work I got to playing with VirtualBox and by the end of the trip I had a very nice new toy that will automagically process malware samples in VirtualBox images and capture their associated network traffic and package up the results into neat little zips foreach sample that is run.

Why did I call it Minionz? well I wanted a cool name and one of the team members said "it has to have the letter z in there" and I figured Minionz was a very appropriate name for a sandnet since they are effectively doing all the leg work as a normal minion would do :)

You can find the link to the tool here http://honeynet.org.au/release/minionz.zip as well as on our tool site:
http://honeynet.org.au/?q=node/10

-vlashef

In part 2 of our VOIP phoneynet blog series, we look at some very high level details of the results we've seen to date.

As quick background, we decided to deploy VOIP honeypots for 2 reasons:

To get a feeling for the extent of network scanning being conducted against VOIP services in the AU network space. By network scanning, we mean probes by persons unknown to determine if there is a VOIP server available.

To trial some early generation VOIP honeypot technologies. These systems are so called 'low interaction' honeypots, in that only provide trivial functionality. They do not interact, or trick the miscreant into making calls or anything similar, they simply log attempts to connect.

The Internet location of the VOIP phoneypot is an important facet of the whole idea behind the Phoneynet. We use IP addresses that are not advertised anywhere as having providing VOIP services, so we can say that any attempt to probe this IP is an opportunistic 'discovery/reconnaissance' phase, as there is no other reason to try to connect to VOIP on the IP of the phoneypot! The initial probe would potentially lead to further nefarious activity (if indeed our honeypot was a real VOIP server). With regard to what the bad guys may use a compromised VOIP service for - we will cover some of this in Part 3 of this blog series.

After the initial setup was complete in March 2009, we waited a few weeks for the first interesting scan. Since then, we probably get only about one scan scan every few weeks. This amount of activity surprised me, as I'm used to looking at our sensornet activity, which sees multiple attacks per day. I really think VOIP scanning/hacking is in it's very early days, and as an underground market for compromised VOIP servers develops - we should expect to see more of these scans

Here is a map of the IP's that scanned the honeypot.
(click to enlarge)


Yes, that is Nairobi in Kenya.

The very first scan was interesting, and worthwhile highlighting. Logs are shown below.

---

----------------------------------------------2009-04-05 02:16:21
UDP message received [413] bytes :
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben):5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious";
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
-----------------------------------------------
Unexpected UDP message received:
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben) :5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious";
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
----------------------------------------------

---

The first thing that struck me was 'sipvicious'?? Oh I see, its a cute reference to the SIP protocol and the famous Sex Pistols member, Sid Vicious (read more about Sid here)
This led me to visit Sandro Gauci's website http://sipvicious.org. Sandro is a whitehat VOIP security provider. Security professionals would be familiar with 'must have' security audit tools such as 'nmap' and 'nessus' and many others. These tools are used by the both the good guys and the bad guys. Good guys use them to conduct 'penetration testing' of Internet systems in an effort to discover problems and fix them up. Bad guys can also use these same tools to discover these weaknesses before they are fixed up.

'Sipvicious' is basically a VOIP security auditing tool, offered by Sandro (a white hat) so that the good guys can learn more about their vulnerabilities and fix them before they are used by the bad guys, note the 'User-Agent: friendly-scanner' in the logs above, this is the default action of Sipvicious.
Now, I have no idea as to the motivation of the persons who pointed sipvicious at our honeypots. But I believe that they are opportunistic scans by a miscreant, so that they may be examined further to determine for vulnerabilities.

In summary, the takeway points from this blog are:
- VOIP scanning in Australia does exist.
- Tools and techniques used by the white hat community are also used by the miscreant.

Next up in this Blog series:
VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"