HoneySpider Network: a Java based system to hunt down malicious websites

2,294 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,294
On SlideShare
0
From Embeds
0
Number of Embeds
76
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HoneySpider Network: a Java based system to hunt down malicious websites

  1. 1. Niels van Eijck Principal Consultant, NCIM n.van.eijck@ncim.nl @nvaneijck
  2. 2.    Java Developer Principal Consultant @NCIM Currently @Dutch National Cyber Security Centre (NCSC-NL) 2
  3. 3.      Introduction HoneySpider Network Service Development Demo Summary 3
  4. 4.    Every piece of software contains vulnerabilities! Browsers (IE, Firefox, Chrome, Opera, WGET) Flash, Acrobat Reader, etc. 4
  5. 5.    Early warning system Scan periodically Trusted websites Benign content HoneySpider Network Benign content Benign content 5
  6. 6.      Early warning system Scan periodically Trusted websites Detect malicious content Report Benign content HoneySpider Network Malicious content Benign content 6
  7. 7. 7
  8. 8. 8
  9. 9. 9
  10. 10. Images courtesy of chanpipat / FreeDigitalPhotos.net 1 Intelligence gathering 4 2 Initiate malicious activity Inject exploit in selected sites 3 Drop malware on vulnerable systems 3 10
  11. 11.  Major news sites  NU.nl  Telegraaf.nl  Government sites  whitehouse.gov  dol.gov  Political related sites  rsf.org 11
  12. 12. Source: threatpost.com / netsecurity.org 12
  13. 13.    February 2013 Clients exploited via Java6 vulnerability Apple, Facebook & Twitter compromised 13
  14. 14. Source: zdnet.com / foxit.com 14
  15. 15.     August 2013 First noticed at conrad.nl Visitors are redirected to site serving Blackhole exploit kit (PDF & Java) Turns out conrad.nl is not the only one 15
  16. 16.  Hosting provider targeted by phishing email  PDF containing malware  One client got compromised Credentials obtained for DNS registrar  DNS Nameserver entry changed   Legitimate action… 16
  17. 17. 17
  18. 18.  All this shows a need to invest in early detection and analysis of attacks on clients  Meet HoneySpiderNetwork 2 (HSN) 18
  19. 19.      Introduction HoneySpider Network Service Development Demo Summary 19
  20. 20.  Started as joint venture  CERT-Polska  Dutch National Cyber Security Centre (NCSC-NL)  Work on version 2 started in 2011  Code released under GPL license in january 2013 20
  21. 21.   Early warning system Detects attacks on client applications  Webpages  Files     Supports variety of services & analyzers Flexible configuration Scalable Open architecture 21
  22. 22. Operational Reporting HoneySpider Network Report DB export Services Services Jobs Services Services Services Web interface CLI 22
  23. 23.     Communication  RabbitMQ (AMQP)  Google Protocol Buffers Workflows  Activiti  Git Storage  Apache CouchDB  JSON documents Programming languages  Java  Python  C++ 23
  24. 24. 24
  25. 25.   HSN Workflow Language (HWL) XML Process Each URL Reporter • File with URLs • Service “A” • Service “B” • Aggregate results from services • Store in database 25
  26. 26. Input / Output Feeder (file / url) Reporter Scanners Antivirus Web Clients HtmlUnit Thug Analyzers Shellcode JavaScript PDF MS Office Flash Honeypots Capture HPC Cuckoo 26
  27. 27.  High interaction honeypot  Vulnerable system visits website  Activity is recorded    Uses virtualization software Analysis plugins Reporting plugins 27
  28. 28.     Django framework Supports scheduling of jobs Basic statistics RSS feeds of malicious results 28
  29. 29.      Introduction HoneySpider Network Service Development Demo Summary 29
  30. 30. package nl.ncim.hsn2.service; import ...; public class DemoService implements org.apache.commons.daemon.Daemon { private GenericService service = null; @Override public void init(DaemonContext context) throws DaemonInitException, Exception { this.service = new GenericService(new DemoServiceTaskFactory(), ...); } @Override public void start() throws Exception { ... service.run(); ... } } 30
  31. 31. package nl.ncim.hsn2.service; import ...; public class DemoService implements org.apache.commons.daemon.Daemon { private GenericService service = null; @Override public void init(DaemonContext context) throws DaemonInitException, Exception { this.service = new GenericService(new DemoServiceTaskFactory(), ...); } @Override public void start() throws Exception { ... service.run(); ... } } 31
  32. 32. package nl.ncim.hsn2.service; import ...; public class DemoServiceTaskFactory implements TaskFactory { @Override public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data) throws ParameterException { return new DemoServiceTask(jobContext, data); } } 32
  33. 33. package nl.ncim.hsn2.service; import ...; public class DemoServiceTaskFactory implements TaskFactory { @Override public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data) throws ParameterException { return new DemoServiceTask(jobContext, data); } } 33
  34. 34. package nl.ncim.hsn2.service; import ...; public class DemoServiceTaskFactory implements TaskFactory { @Override public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data) throws ParameterException { return new DemoServiceTask(jobContext, data); } } 34
  35. 35. package nl.ncim.hsn2.service; import ... /** * The task class for the HSN2 Demo Service. * This is the place where the actual work is being done. */ public class DemoServiceTask implements Task { private TaskContext jobContext; private String url; public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) { this.jobContext = jobContext; this.url = data.getString("url_original"); } @Override public void process() throws ParameterException, ResourceException, StorageException { jobContext.addAttribute("statement", "J-Fall Rocks!"); } } 35
  36. 36. package nl.ncim.hsn2.service; import ... /** * The task class for the HSN2 Demo Service. * This is the place where the actual work is being done. */ public class DemoServiceTask implements Task { private TaskContext jobContext; private String url; public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) { this.jobContext = jobContext; this.url = data.getString("url_original"); } @Override public void process() throws ParameterException, ResourceException, StorageException { jobContext.addAttribute("statement", "J-Fall Rocks!"); } } 36
  37. 37. package nl.ncim.hsn2.service; import ... /** * The task class for the HSN2 Demo Service. * This is the place where the actual work is being done. */ public class DemoServiceTask implements Task { private TaskContext jobContext; private String url; public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) { this.jobContext = jobContext; this.url = data.getString("url_original"); } @Override public void process() throws ParameterException, ResourceException, StorageException { jobContext.addAttribute("statement", "J-Fall Rocks!"); } } 37
  38. 38. { "type":"analysis", "job":<<@|hsn-job-id>>, "service":"demo-service", "node":<<@|hsn-node-ref>>, "classification":"benign", "details": { "structure":"list", "name":"Analysis details of Demo Service", "value": [ { "structure":"text", "name":"Statement", "value":<<statement>> }, ] } } 38
  39. 39.      Introduction HoneySpider Network Service Development Demo Summary 39
  40. 40.  Java SE 7 JRE Exploit (CVE-2012-4681)  Vulnerabilities in the JRE allow attackers to escape from the sandbox environment  Fixed in Java SE 7 JRE update 7  currently at 7u45... https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=3122 40
  41. 41. HoneySpider Network Cuckoo Service Cuckoo VM with Metasploit 41
  42. 42. Job HoneySpider Network Cuckoo Service Cuckoo VM with Metasploit 42
  43. 43. Job HoneySpider Network Cuckoo Service Cuckoo Windows XP virtual machine VM with Metasploit 43
  44. 44. Job HoneySpider Network Cuckoo Service Cuckoo Windows XP virtual machine VM with Metasploit 44
  45. 45. HoneySpider Network Report Cuckoo Service Cuckoo VM with Metasploit 45
  46. 46.   Calc.exe aka Hello, world! A hacker would execute more serious stuff  > format C:  botnet client  keylogger 46
  47. 47. 47
  48. 48.      Introduction HoneySpider Network Service Development Demo Summary 48
  49. 49.  HoneySpiderNetwork; a Java based system to hunt down malicious websites  Visit www.honeyspider.net  Feel free to try it  Appliance (virtualbox)  Installation Guide  Github (https://github.com/CERT-Polska/hsn2-bundle)  Call for developers! 49
  50. 50. Thank you for your attention! n.van.eijck@ncim.nl @nvaneijck 50

×