Honeypot analysis actually involves three related but separate forensic investigations:
Was the attack automated or manual?
How did the initial compromise happen?
What did the hacker or malware do after initial compromise?
Attacks appear because of roving automated malware (such as viruses, worms, and trojans), because of a specific manual attack directed by a hacker, or through some combination of these techniques. In most cases, manual attacks are more of a concern than random, automated attacks. Either type of attack can cause damage, but the manual attack is unpredictable. Most automated malware is known (zero-day attacks are not frequent). You can use an Internet search engine or an antivirus database to search on the malware and learn everything about it. In contrast, no one knows how to predict what hackers will do when they are in control of your honeypot system.
The telltale signs of an automated attack are as follows:
Several different types of attack, in quick succession
Exploits not designed specifically for the platform attacked
The same attack tried over and over again in quick succession, without changing any parameters
Typing too fast to be done by person, without any typos
The following are the telltale signs of a manual attack:
Exploit code used is specific for the platform attacked
Random typos in commands, with a lot of retyping
Random periods of time between different mechanisms of attack
Signs of prior intelligence gathering (such as pinging or port scans)
Almost all hackers and malware employ two different mechanisms of action: one used to gain initial access and the other to accomplish their true intent. Breaking in is often just a means to an end, although many hackers and malware are content to simply break in.
For example, the Slammer worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html) used a buffer overflow exploit to compromise Microsoft SQL Server machines (and clients running the Microsoft Desktop Engine, or MSDE). After gaining initial access, it used the resources of the exploited machine to attack other computers with the same exploit. It contained no damaging routine and infected no files. It did no other damage than that resulting from overflowing the server and launching as many exploratory attacks against new hosts as possible. Its replicating routine so overwhelmed the exploited host and network that its spread was actually hampered as it unintentionally caused its own chokepoints. The effects of the Slammer worm could have been devastating if it had spread a little less quickly and if it had erased data.
The hacker’s or malware’s intent after the initial exploit is often more important to the honeypot administrator. Did the intruder want to compromise that particular machine, or was it just an exploitable host?
Hackers could, if they wanted to, analyze the computer’s data and eventually gain access to valuable information. Imagine the damage hackers could do to a corporate network or data center by capturing passwords or silently corrupting data. Maybe they could sell the data to an interested third party, or hold the data hostage. Even most home computers contain valuable information. Computer users often access their online bank accounts and conduct online commercial transactions. If hackers wanted to, they could steal credit card information and go on a buying spree. Certainly, a small percentage of hackers do just that.
However, most hackers and malware simply want the resources of the computer. They don’t know (and don’t care) what computer they are breaking into. They want to use the CPU cycles and disk space. Maybe the computer will be used to store pirated DVDs, games, or other hackers’ warez. Other times, the computer is commandeered to attack other computer systems, like azombie trojan botnet.
Zombie trojans are malware programs deposited on exploited machines, which then patiently wait for commands from the originating hacker. Hackers often exploit dozens to thousands of computers with these trojans in preparation for a larger attack, making a network of bots (or a botnet). The entire resources of the malicious botnet can then be directed against a single computer or web site. Along the same lines, today’s spammers use worms or viruses to direct otherwise innocent computers to send out millions of unsolicited messages. Some antispam resources, like MessageLabs (http://www.messagelabs.com), say that more than 60% of the spam delivered today is sent out by spam bots.
Computers may also be used to commit corporate crime. I was involved in a case where a competitor infiltrated a company’s computer to gain competitive advantage. The hacker company was able to learn what price its competitor was bidding on different fish contracts and beat the other company every time by pennies per pound. In six months, the aggrieved company was out of business, and the competitor had stolen millions of dollars in contracts. I was able to prove the grievance in court. The harmful competitor was placed in jail, but my client’s company was gone, and he was bankrupt.
As another example, The Honeynet Project (http://www.honeynet.org/papers/profiles/cc-fraud.pdf) recorded a credit card fraud network, including the participants, tools, and involved businesses. Although The Honeynet Project has a policy of not getting involved with law enforcement agencies, the millions of dollars of potential damage made this analysis an exception. Even more interesting was the fact that this particular crime ring, although involved in high-stakes computer crime, made no significant efforts to hide its activities. Communications were not encrypted. Network transactions happened on an IRC network using clear-text transmissions. All it took to capture the fraud was an exploitable honeypot.
Regardless of the intent of the hackers or malware, honeypot analysis should be done using a structured approach, which is the main topic of this chapter.