Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (14)
Destaque
Destaque (20)
Semelhante a HoneySpider Network: a Java based system to hunt down malicious websites
Semelhante a HoneySpider Network: a Java based system to hunt down malicious websites (20)
Mais de NLJUG
Mais de NLJUG (20)
Último
Último (20)
HoneySpider Network: a Java based system to hunt down malicious websites
- 1. Niels van Eijck Principal Consultant, NCIM n.van.eijck@ncim.nl @nvaneijck
- 2. Java Developer Principal Consultant @NCIM Currently @Dutch National Cyber Security Centre (NCSC-NL) 2
- 4. Every piece of software contains vulnerabilities! Browsers (IE, Firefox, Chrome, Opera, WGET) Flash, Acrobat Reader, etc. 4
- 5. Early warning system Scan periodically Trusted websites Benign content HoneySpider Network Benign content Benign content 5
- 6. Early warning system Scan periodically Trusted websites Detect malicious content Report Benign content HoneySpider Network Malicious content Benign content 6
- 7. 7
- 8. 8
- 9. 9
- 10. Images courtesy of chanpipat / FreeDigitalPhotos.net 1 Intelligence gathering 4 2 Initiate malicious activity Inject exploit in selected sites 3 Drop malware on vulnerable systems 3 10
- 11. Major news sites NU.nl Telegraaf.nl Government sites whitehouse.gov dol.gov Political related sites rsf.org 11
- 12. Source: threatpost.com / netsecurity.org 12
- 13. February 2013 Clients exploited via Java6 vulnerability Apple, Facebook & Twitter compromised 13
- 14. Source: zdnet.com / foxit.com 14
- 15. August 2013 First noticed at conrad.nl Visitors are redirected to site serving Blackhole exploit kit (PDF & Java) Turns out conrad.nl is not the only one 15
- 16. Hosting provider targeted by phishing email PDF containing malware One client got compromised Credentials obtained for DNS registrar DNS Nameserver entry changed Legitimate action… 16
- 17. 17
- 18. All this shows a need to invest in early detection and analysis of attacks on clients Meet HoneySpiderNetwork 2 (HSN) 18
- 20. Started as joint venture CERT-Polska Dutch National Cyber Security Centre (NCSC-NL) Work on version 2 started in 2011 Code released under GPL license in january 2013 20
- 21. Early warning system Detects attacks on client applications Webpages Files Supports variety of services & analyzers Flexible configuration Scalable Open architecture 21
- 23. Communication RabbitMQ (AMQP) Google Protocol Buffers Workflows Activiti Git Storage Apache CouchDB JSON documents Programming languages Java Python C++ 23
- 24. 24
- 25. HSN Workflow Language (HWL) XML Process Each URL Reporter • File with URLs • Service “A” • Service “B” • Aggregate results from services • Store in database 25
- 26. Input / Output Feeder (file / url) Reporter Scanners Antivirus Web Clients HtmlUnit Thug Analyzers Shellcode JavaScript PDF MS Office Flash Honeypots Capture HPC Cuckoo 26
- 27. High interaction honeypot Vulnerable system visits website Activity is recorded Uses virtualization software Analysis plugins Reporting plugins 27
- 28. Django framework Supports scheduling of jobs Basic statistics RSS feeds of malicious results 28
- 30. package nl.ncim.hsn2.service; import ...; public class DemoService implements org.apache.commons.daemon.Daemon { private GenericService service = null; @Override public void init(DaemonContext context) throws DaemonInitException, Exception { this.service = new GenericService(new DemoServiceTaskFactory(), ...); } @Override public void start() throws Exception { ... service.run(); ... } } 30
- 31. package nl.ncim.hsn2.service; import ...; public class DemoService implements org.apache.commons.daemon.Daemon { private GenericService service = null; @Override public void init(DaemonContext context) throws DaemonInitException, Exception { this.service = new GenericService(new DemoServiceTaskFactory(), ...); } @Override public void start() throws Exception { ... service.run(); ... } } 31
- 32. package nl.ncim.hsn2.service; import ...; public class DemoServiceTaskFactory implements TaskFactory { @Override public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data) throws ParameterException { return new DemoServiceTask(jobContext, data); } } 32
- 33. package nl.ncim.hsn2.service; import ...; public class DemoServiceTaskFactory implements TaskFactory { @Override public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data) throws ParameterException { return new DemoServiceTask(jobContext, data); } } 33
- 34. package nl.ncim.hsn2.service; import ...; public class DemoServiceTaskFactory implements TaskFactory { @Override public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data) throws ParameterException { return new DemoServiceTask(jobContext, data); } } 34
- 35. package nl.ncim.hsn2.service; import ... /** * The task class for the HSN2 Demo Service. * This is the place where the actual work is being done. */ public class DemoServiceTask implements Task { private TaskContext jobContext; private String url; public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) { this.jobContext = jobContext; this.url = data.getString("url_original"); } @Override public void process() throws ParameterException, ResourceException, StorageException { jobContext.addAttribute("statement", "J-Fall Rocks!"); } } 35
- 36. package nl.ncim.hsn2.service; import ... /** * The task class for the HSN2 Demo Service. * This is the place where the actual work is being done. */ public class DemoServiceTask implements Task { private TaskContext jobContext; private String url; public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) { this.jobContext = jobContext; this.url = data.getString("url_original"); } @Override public void process() throws ParameterException, ResourceException, StorageException { jobContext.addAttribute("statement", "J-Fall Rocks!"); } } 36
- 37. package nl.ncim.hsn2.service; import ... /** * The task class for the HSN2 Demo Service. * This is the place where the actual work is being done. */ public class DemoServiceTask implements Task { private TaskContext jobContext; private String url; public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) { this.jobContext = jobContext; this.url = data.getString("url_original"); } @Override public void process() throws ParameterException, ResourceException, StorageException { jobContext.addAttribute("statement", "J-Fall Rocks!"); } } 37
- 38. { "type":"analysis", "job":<<@|hsn-job-id>>, "service":"demo-service", "node":<<@|hsn-node-ref>>, "classification":"benign", "details": { "structure":"list", "name":"Analysis details of Demo Service", "value": [ { "structure":"text", "name":"Statement", "value":<<statement>> }, ] } } 38
- 40. Java SE 7 JRE Exploit (CVE-2012-4681) Vulnerabilities in the JRE allow attackers to escape from the sandbox environment Fixed in Java SE 7 JRE update 7 currently at 7u45... https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=3122 40
- 43. Job HoneySpider Network Cuckoo Service Cuckoo Windows XP virtual machine VM with Metasploit 43
- 44. Job HoneySpider Network Cuckoo Service Cuckoo Windows XP virtual machine VM with Metasploit 44
- 46. Calc.exe aka Hello, world! A hacker would execute more serious stuff > format C: botnet client keylogger 46
- 47. 47
- 49. HoneySpiderNetwork; a Java based system to hunt down malicious websites Visit www.honeyspider.net Feel free to try it Appliance (virtualbox) Installation Guide Github (https://github.com/CERT-Polska/hsn2-bundle) Call for developers! 49
- 50. Thank you for your attention! n.van.eijck@ncim.nl @nvaneijck 50