('binary' encoding is not supported, stored as-is) I originally posted this in the Honeypot mail-list, but
many people suggested that I also post it here, due to
the relevance.

>>>
Greetings All:

I took Lance Spitzner's advice to post this to the
Honeypot List, I hope it is of some value.

I have been dabbling with using VMware as a
honeypot for a couple months now and I must admit,
it is a lot of fun. I thought I would share some of my
own info with you all since I know you are all heavily
involved with Honeypots, Forensics, VMware, etc.

Many Forensic Analysts are forced with the time
comsuming task of combining typical Unix
commands such as like "find", "strings" and "grep" to
quickly analyze compromised systems.

Example = "# find . -type f -print | xargs grep -i
[PATTERN]"

I have done this task many times and it is just a plain
pain in the A$$ since you can only search for a couple
patterns at a time. In order to speed this process up
considerably, there is another method that I have
used to examine both VMware honeypot images
(such as the linux.img file) or normal dd images of
compromised systems. The surprising Forensic tool
is SWATCH - http://www.oit.ucsb.edu/~eta/swatch/.
SWATCH is well known in the Unix SysAdmin realms
to monitor system files in real-time. Little did I know,
that such a powerful Forensic tool was already sitting
on my system. I suggest that you read the SWATCH
documentation if you are unfamiliar with how it
functions. If you are already familiar with SWATCH,
then read on...

By using SWATCH, I am able to simultaneously
search for many RegularExpressions all at once by
putting them within the SWATCH config file. I have
run SWATCH (Version 3.0.4) with the "--
examine=filename" flag to do a single pass on an
entire VMware image to look for suspicious info. I am
still working on tweaking my swatchrc.honeypot
config file for malicious keywords. This tweaking
involves both adding common "hacker" words and
the appropriate PERL syntax. This file is used by
SWATCH for the alert triggers to search for in a file. I
am trying to compile an extensive list of keywords for
the SWATCH file - such as; sniff, IRC, hack, bot,
trojan, etc...some of the techniques that I have used
for gathering keywords have been to review rootkit
files, using the "Hacker Jargon" file -
http://www.antionline.com/jargon/ and surprisingly
productive, to read the META information within the
html pages of hackersites.

Anyways, using SWATCH in this manner allows me
to search simultaneously for many keywords that
would be realistically unfeasible to do commandline.
The only limiting factor that I have run into thus far is
that the "context" to which these keyword matches
are related is missing- I.E.- What file is this word
located in? Who owns that file? What are the MAC
times, etc... These are questions that must be
answered by a more extensive forensic analysis. It is
extremely effective, however, at trowing out a big net
and getting some places to start an investigation.
This method also is useful to be run as a quick check
to see if there is any mischeivious behaviour
happening on a live VMware image. If you get any
hits, then you should proceed to a more interactive
Forensics analysis.

Here is a quick example -

I setup SWATCH-3.0.4 on a Solaris host and
configured it with the following config
file "swatchrc.honeypot". Notice the use of the "pipe"
command - where the output is sent into other
commands directly through SWATCH. I pipe each
matched line into "strings" and then the output is
appended to the swatch_honeypot.txt file. This is
very usefull since many of the hits could be from
binary files and this makes sure that the output will be
in human readable format. Additionally, the end of the
SWATCH REGEXP line has the "i" appended. This
allows for case-insensitivity during the search, which
is MUCH needed when dealing with common
Blackhat naming conventions - Below is a partial
example of my swatchrc.honeypot file -

###########################################
# SWATCH configuration file for scanning suspected
compromised filesystem images
#
# This SWATCH Forensic Technique and Config file
was created by:
# Ryan C. Barnett
# SAPHE Security Team Lead
# SAPHE = System Analysis to Prevent Hacker
Exploitation
# Email: RCBarnetthushmail.com
#

# The following REGEXP triggers are common
keywords associated with suspicious activity.
# It is assumed that if you are using this technique
against a dd imaged copy of a system,
# chances are you had some reason to suspect that
the system was compromised, right?!
# This technique will help you to quickly scan an
image of a system to look for a large
# number of keywords all at once. This negates the
need for extremely long commandline
# GREP searches.
#
# Additionally, this technique has been most effective
when used in conjunction with
# VMware honeypot images. You can scan the entire
linux.img file for a particular host
# and get back results.
#
# Here are some examples of some keywords to get
you started, feel free to add to them.
# IMPORTANT - Do NOT delete the "i" following the
last REGEXP match. This needs to be
# in place for case-insensitivity purposes. This
allows for matches of say - "rootkit"
# and "RootKit".
#
# If SWATCH finds a match it will echo the line to the
screen in bold and also append
# the line to the selected honeypot file for analysis.

watchfor /rootkit|root kit|hack| irc | bot
|sniff|backdoor|back
door|promisc|knark|hax0r|hide|trojan|virus|TFN2K|ador
e|LKM|attack|denial-of-service|ddos|brute force|0wn/i
        echo=bold
        pipe `strings | echo $0
>> /images/swatch_honeypot.txt`
###########################################

I ran SWATCH against one of the Honeynet Projects
dd images (From Scan of the Month 15 - Recover a
deleted rootkit) - honeypot.hda8.dd.
http://project.honeynet.org/scans/scan15/

###########################################
# ./swatch --config-file=swatchrc.honeypot --
examine=/images/honeynet/honeypot.hda8.dd

*** swatch-3.0.4 (pid:2278) started at Thu Jan 10
16:58:28 EST 2002
###########################################

I let SWATCH run for a very short time through the dd
image. After I saw some of the hits that were echo'd
to my terminal I exited the SWATCH session and
examined the swatch_honeypot.txt file. This file
provided many useful clues of where to begin a live
forensice examination! Here is the actual
swatch_honeypot.txt file after running SWATCH
against the dd image -

###########################################
# more swatch_honeypot.txt
echo ********* Instalarea Rootkitului A Pornit La Drum
*********
echo 3 linsniffer >>/dev/rpm
cp linsniffer logclear sense sl2 mkxfs s ssh_host_key
ssh_random_seed /dev/ida/.drag-on/
cp linsniffer logclear sense sl2 mkxfs s ssh_host_key
ssh_random_seed /dev/ida/..
rm -rf linsniffer logclear sense sl2 mkxfs s
ssh_host_key ssh_random_seed
./linsniffer >> ./tcp.log &
./linsniffer >tcp.log &
###########################################

As you can see, it identified some quick places to
start an investigation - It looks like there are some
new directories ".drag-on", "/dev/ida/.." - and that
there was a sniffer installed, etc... While not perfect,
it is still pretty powerfull.

I am also getting ready to test using SWATCH to
monitor VMware GuestOS files while the are acutally
in use. I am not sure if this will work, but we will see.
I am going to use this RegExpr syntax in the
swatchrc file -

watchfor /.*/

This should catch all changes made to the linux.img
file for the GuestOS. As mentioned in a great
VMware paper by Kurt Seifried -
http://www.seifried.org/security/ids/20020107-
honeypot-vmware-basics.html, the size of the
VMware image files both contracts and expands
during operation. The test will be if SWATCH is
actually able to pick up most of this activity. I did a
trial run and had SWATCH monitor a normal ASCII
text file with this config. I then echo'd text into the file
and it worked, ofcourse. I then vi'ed the file and
inserted text in the middle of the file. It caught that as
well. Anyways, I have no idea how this will turn out
with the actual VMware image in use, but I will soon
find out...I am sure that there will need to be massive
changes made to the swatchrc config file using some
of the other flags such as "ignore", "throttle", etc...

Anyways, I hope some of my techniques will help you
all. Let me know if you all would be interested in my
test results of this scenario, or to get a copy of my
entire swatchrc config file with the added Intrusion
Keywords.

Goog Luck,
Ryan

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]