Australian Honeynet Project

There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

Here are some potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

Financial gain

Political

Religious

Reputation and ego of the hacker

Intellectual Property theft, Trade Secrets

Espionage

Retribution, commercial or personal

Vandalist, miscreant activity (bored youth..)

I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

Cheap overseas calls / calling cards.
One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
Here is a brief overview of a simple version of the scam:

The crook controls a hacked VOIP system in (say) Australia. This means that they can accept and redirect calls, and essentially control every aspect of that phone system.

The crook sells 'calling cards' to citizens of another country that live in, or are visiting Australia. The card allows them to call home at ridiculously cheap rates, a tiny fraction of the cost of a legitimate overseas call.

The buyer of the calling card is instructed to call a local (probably legitimate) number in Australia and then enter in the international number they are trying to reach. The crook then reroutes these calls through VOIP to the hacked system, which then makes the international call. This functionality could potentially be turned off periodically to evade being uncovered, and could even be configured to only use the hacked VOIP server for calls to a specific set of countries.

The buyer of the calling card of course could not be aware that the call was routed through a hacked VOIP system, they are just happy to have spoken to family and friends at a cheap rate.

Note also that it is entirely possible for the calls to be re-routed through an entire chain of hacked VOIP servers in more 2 or 3 different countries, effectively 'laundering the call' by making it harder to track down if an investigation is ever launched. Jurisdictional/timezone/culture and language differences are some of the most challenging hurdles faced by cybercrime investigators, and the crooks know how to take advantage of this (I aim to explore these aspects in a later instalment of this blog series)

The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

Premium rate number calling
This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

The scam is fairly simple.

Crook has control of hacked VOIP system(s) for which the victim gets bills for on a monthly basis. This VOIP system may belong to a corporate entity, and so may be capable of making many concurrent calls.

The crook has a premium rate 1900 number, for which they collect revenue on a weekly or daily basis.

Crook gets the hacked VOIP system to make multiple, repeated calls to the 1900 number, thus adding to the account of the 1900 number, at the expense of the owner of the hacked VOIP system.

Crook collects the revenue from the 1900 number every day/week until someone notices.

In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

Future threat – Denial of Service
The motive behind this attack could probably be any of the ones listed above.
I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
This area needs much more research and consideration from authorities much better funded and capable than us, and yes we are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at ben@honeynet.org.au with any feedback, or input into the next one.

In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.

So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.

Without further ado, here is a video of about a week's worth of SPAM on the planet Earth:

When zooming in on Europe, notice the 'Blue Banana', which is a discontinuous corridor of urbanisation in Western Europe is once again evident, as it was with the European heatmap. From North West England to Milan, 90 million people live in this corridor, and evidently a fair few of them have computers that send us SPAM. They call it a banana because of it's curvature but I've no idea why its blue.

We were hoping to see a 'follow the sun' aspect emerge, thinking that as people turn their computers off and go to bed, less spam will come from infected hosts in that timezone. This sounds reasonable, but it really only shows up to a fairly small degree in the video. It seems people don't turn infected hosts off at night. SPAM it seems, is 24x7.

We've also done the same technique for the location of network borne malware (worms) seen by our Australian SensorNET, in fact dataset with an IP and a timestamp - we can create a video of now. Feel free to contact us if you have an interesting dataset.
I used a product called 'logster' to do these videos, it is designed to read weblog files so that you can get an idea of who and when people visited your website. However you can use any dataset with an IP and timetamp, and parse it to make it look like an apache weblog file easily enough. This is what we (Thanks DavidZ) did with our nepenthes and SPAM data sets. Logster is another good analysis tool to have in the kit.

If you have a SPAM feed you would like to provide to the project, please email us at contact@honeynet.org.au

Greetings everyone

Recently on the train to work I got to playing with VirtualBox and by the end of the trip I had a very nice new toy that will automagically process malware samples in VirtualBox images and capture their associated network traffic and package up the results into neat little zips foreach sample that is run.

Why did I call it Minionz? well I wanted a cool name and one of the team members said "it has to have the letter z in there" and I figured Minionz was a very appropriate name for a sandnet since they are effectively doing all the leg work as a normal minion would do :)

You can find the link to the tool here http://honeynet.org.au/release/minionz.zip as well as on our tool site:
http://honeynet.org.au/?q=node/10

-vlashef

In part 2 of our VOIP phoneynet blog series, we look at some very high level details of the results we've seen to date.

As quick background, we decided to deploy VOIP honeypots for 2 reasons:

To get a feeling for the extent of network scanning being conducted against VOIP services in the AU network space. By network scanning, we mean probes by persons unknown to determine if there is a VOIP server available.

To trial some early generation VOIP honeypot technologies. These systems are so called 'low interaction' honeypots, in that only provide trivial functionality. They do not interact, or trick the miscreant into making calls or anything similar, they simply log attempts to connect.

The Internet location of the VOIP phoneypot is an important facet of the whole idea behind the Phoneynet. We use IP addresses that are not advertised anywhere as having providing VOIP services, so we can say that any attempt to probe this IP is an opportunistic 'discovery/reconnaissance' phase, as there is no other reason to try to connect to VOIP on the IP of the phoneypot! The initial probe would potentially lead to further nefarious activity (if indeed our honeypot was a real VOIP server). With regard to what the bad guys may use a compromised VOIP service for - we will cover some of this in Part 3 of this blog series.

After the initial setup was complete in March 2009, we waited a few weeks for the first interesting scan. Since then, we probably get only about one scan scan every few weeks. This amount of activity surprised me, as I'm used to looking at our sensornet activity, which sees multiple attacks per day. I really think VOIP scanning/hacking is in it's very early days, and as an underground market for compromised VOIP servers develops - we should expect to see more of these scans

Here is a map of the IP's that scanned the honeypot.
(click to enlarge)


Yes, that is Nairobi in Kenya.

The very first scan was interesting, and worthwhile highlighting. Logs are shown below.

---

----------------------------------------------2009-04-05 02:16:21
UDP message received [413] bytes :
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben):5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious"; tag=37626633376535343133633401323433373135323539
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
-----------------------------------------------
Unexpected UDP message received:
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben) :5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious"; tag=37626633376535343133633401323433373135323539
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
----------------------------------------------

---

The first thing that struck me was 'sipvicious'?? Oh I see, its a cute reference to the SIP protocol and the famous Sex Pistols member, Sid Vicious (read more about Sid here)
This led me to visit Sandro Gauci's website http://sipvicious.org. Sandro is a whitehat VOIP security provider. Security professionals would be familiar with 'must have' security audit tools such as 'nmap' and 'nessus' and many others. These tools are used by the both the good guys and the bad guys. Good guys use them to conduct 'penetration testing' of Internet systems in an effort to discover problems and fix them up. Bad guys can also use these same tools to discover these weaknesses before they are fixed up.

'Sipvicious' is basically a VOIP security auditing tool, offered by Sandro (a white hat) so that the good guys can learn more about their vulnerabilities and fix them before they are used by the bad guys, note the 'User-Agent: friendly-scanner' in the logs above, this is the default action of Sipvicious.
Now, I have no idea as to the motivation of the persons who pointed sipvicious at our honeypots. But I believe that they are opportunistic scans by a miscreant, so that they may be examined further to determine for vulnerabilities.

In summary, the takeway points from this blog are:
- VOIP scanning in Australia does exist.
- Tools and techniques used by the white hat community are also used by the miscreant.

Next up in this Blog series:
VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"

Like a lot of people, unfortunately we get a LOT of spam. I thought it would be interesting to sort these into distinct groups and make some wordclouds , or more specifically spamclouds from the content of the spam.

The idea behind these spamclouds is that a quick glance draws your eye to the more dominant words, and also gives a sense of the relative importance of words used in each spam type.

I sorted the spam from around 3-6 months worth of data into 3 distinct groups as follows:

Phishing spam: These are emails claiming to be from a legitimate institution, such as the tax office, bank, ISP or credit union. They attempt to dupe victims into handing over their banking details, and other data that could be used in many forms of identity theft. For the purpose of this exercise I concentrated on emails purporting to be from Australian based institutions. The word Commonwealth stands out due to the fact that the Commonwealth Bank of Australia have been the target of a large amount of phishing attacks recently. Read more about this style of scam at the Scamwatch website here.

(click to enlarge)

Money mule spam: These are emails that attempt to recruit people into become "money mules" for the purpose of laundering stolen funds. Often the victim believes they are partaking in legitimate activity, such as a new job as a transfer agent, where their pay is a small percentage of each 'transfer'. Read more about this style of scam here.
(click to enlarge)

Advance Fee Fraud spam: Also known (quite unfairly) as "Nigerian Scams" or "419" scams. Read more about this style of scam here.
(click to enlarge)

I was initially going to do medication/viagra spam as a category as well. However the words that are typically used in the majority of these emails are just so bizarre and nonsensical, that the spamcloud would probably be quite humorous, but not really useful.

Now, obviously the results will vary with different datasets and time periods, so please don't read too much into this piece of work, it's not overly scientific, but hopefully it is still useful and instructive to the public.

We recommend anyone thinking they (or someone they know) may have fallen for one of these scams to check out the Scamwatch website http://www.scamwatch.gov.au. This is a very useful resource for the public to learn about many types of scam, and is run by the Australian Competition and Consumer Commission (ACCC).

Since the Annual workshop in KL earlier in the year, I've been learning a lot about VOIP from Sjur Usken from the Norwegian Honeynet Chapter, and Sandro Gauci from Enable Security. Both of these guys are expert in the field of VOIP security, and we thank them for their assistance to the Australian Honeynet Project.

We've been testing a couple of different styles of VOIP honeypots (yes, phoneypots..). Presently we have one sensor in operation in the AU IP space, which is piloting. Plans are to increase the number, once techniques are matured and the tools are released by the authors.

We've seen some very interesting scanning of our phoneypot sensor during the pilot and the results will be posted shortly - so stay tuned for the following installments !

VOIP phoneynet : PART 2 "OBSERVATIONS OF THE VOIP PILOT THUS FAR"
VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"
VOIP phoneynet : PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS"
VOIP phoneynet : PART 5 "WHAT MIGHT THE FUTURE HOLD WITH VOIP SECURITY"
VOIP phoneynet : PART 6-n "TBA, what do you want ? , I'm taking requests at ben@honeynet.org.au "

This is an interesting area, and increasingly important as VOIP gets more popular, and is targeted by wrong-doers.
We feel that the general level of understanding of VOIP security and more-so malicious activity is relatively low, and that we need to increase this by getting a better view of the sort of malicious VOIP activity out there. This has been the driver behind this project. If you have any experience in VOIP honeynets, or actual incidents (anecdotal, or specific), please feel free to contact us.

Following up on our quest for better data analysis techniques, I've been playing for a couple of weeks with a product called Circos. This useful tool (written by Martin Krzywinski) is designed to visualize two-dimensional tabular data, and was originally written to map genome relationships! However it is very extensible, so I put it to use on the SensorNET data.

The following maps are some of the many I've built with circos, and represent about 18 months worth of our data from the SensorNET. Once you get used to reading this style of map, they are quite trivial to understand but they can take some getting used to. If you don't 'get it' straight away, please stick with it and you will see the beautiful simplicity soon enough.
On the right hand side of the circle are our Australian based nepenthes sensors. These are the 'business end' of our SensorNET, as they collect network-borne malware, and also log where it comes from. The sensors are spread throughout the Australian IP space. On the left hand side is the attribute we are exploring, which in these examples is the attacking country, ASN, or MD5 of the malware. The color ribbons between the sensor and the attribute relate to the strength of the relationship. The thicker the ribbon, the more prominent the relationship.

Top 15 attacking countries
The first thing that jumps out here is the large proportion of attacks coming out of the Japanese IP space. This backs up the results of our geographic heatmap analysis. Note that all of the sensors almost without exception showed the most activity from Japan, and secondly from local Australian IP space.

Top attackers from overseas
This shows the top countries (excluding Australia). Note the dominance of Asian countries, in fact the top 6 countries are Japan, China, India, Taiwan, Cambodia and Mongolia, and only then comes the US. We are thinking this is attributable to the closeness and faster inter-country network links, and potentially to the 'closeness' in terms of IP space, particularly the first and second octet as some bots may scan local/adjacent subnets first, but we need to research this further.

Top 15-30 attacking countries
This is the top 15-30 attacking countries.

Most attacking ASN's
This shows the ASN (Autonomous System Number) network which attacked this set of sensors. You'll notice that one of our nodes (node 19) had a very busy time being attacked repeatedly by one particular ASN. We actually considered this an anomaly in terms of it's statistical relevance, and suspect the sensor may have been playing up, so this sensor/ASN pair was mostly dismissed from the rest of the analysis at this stage. I included this graph here simply to show how easily these anomalies show up with this visualization technique.

Most commonly seen malware
Here we see some of the more prevalent malware files being captured by the SensorNET. These are actually the files that will be infecting unprotected computers in Australia right now! I've abbreviated the MD5's to what I consider to be human readable for this graph.


For reference, here are some links to the Virustotal results for the top 5 pieces of malware (nominal name taken from F-Secure/Kaspersky)

Net-Worm.Win32.Kolabc.gau

Detection Result: 39 out of 40 Antivirus vendors (97.50%)

Backdoor.Win32.Rbot.aus

Detection Result: 38 out of 39 Antivirus vendors (97.44%)

Suspicious:W32/Malware!Gemini

Detection Result: 6 out of 36 Antivirus vendors (16.67%) ***

Backdoor.Win32.IRCBot.ddm

Detection Result: 40 out of 40 Antivirus vendors (100.00%)

Net-Worm.Win32.Kolabc.fia

Detection Result: 40 out of 40 Antivirus vendors (100.00%)

So there you have it, although a lot of network-borne malware has great AV coverage, some do not ***. This means that a 'defense in depth' strategy is still required. Do not rely solely on any one of the main technical security controls (Antivirus, Patching, Firewall) - use them ALL for the best protection !

What can you see in these diagrams ? Do you have any suggestions or observations ? let me know at ben@honeynet.org.au

One of our main focuses this year for the AHP is to work on how we present data efficiently and meaningfully.

I've turned to the Visualization field to learn how to present data in ways that can be understood, trends spotted, and outliers and anomalies identified. Armed with this, these topics can then be studied further, can answer questions, or give rise to new questions.

We are starting to understand how we can use a few tools now, particularly after the KL workshop (thanks Raffy and Sebastian for your help).

One obvious tool is cartographic heat mapping. We are all very used to the concept of heat gradients when we look at weather maps.
It is very useful to display data in this form to answer the question "Where ARE these things I'm interested in?, is there particular place they are more concentrated?"

Well, our good friend (and in fact, newest contributor) David Z helped me understand and install the gheat infrastructure, which seems to suit some of our needs fairly nicely. I like this application, it allows you to zoom into an area (just as you do in google maps), and the product then recalculates the heatmap for that perspective. It is quite interactive in that way, and can be used by non-geeks. Over the next few months we plan to make some data from this application available to interested parties in such an interactive way. Until then, I've got a few screenshots showing some early results.

This is a map of the locations of computers that are attacking our Australian SensorNET. One thing that stands out is that we seem to have a lot of activity from Japan. We are currently analyzing this, and if you attend Shaun's presentation at AusCERT2009 you'll learn more about this.

---

Shaun has built a system that attempts to calculate the origin of SPAM that is being sent to our Australian based email traps.
Because this data already existed, it was trivial for me to run this through gheat and come up with the following maps.
(click to enlarge) Here is a heatmap of locations sending SPAM to Australia.


(click to enlarge) Lets look closer at activity from within Australia itself


(click to enlarge) Lets look closer at activity out of Europe


(click to enlarge) Lets look closer at activity out of the US


What can you see ? Seriously, let us know at contact@honeynet.org.au

We hope to make more posts involved data visualization techniques this year. It's an important area for us.
If you have any suggestions or viz tools that you can recommend, please let us know at contact@honeynet.org.au