Darknoc: Dashboard for Honeypot Management

Total Page:16

File Type:pdf, Size:1020Kb

Darknoc: Dashboard for Honeypot Management DarkNOC: Dashboard for Honeypot Management Bertrand Sobesto, Michel Cukier Matti Hiltunen, Dave Kormann, Gregg Vesonder Clark School of Engineering AT&T Labs Research University of Maryland 180 Park Ave. College Park, MD, USA Florham Park, NJ, USA fbsobesto, [email protected] fhiltunen, davek, [email protected] Robin Berthier Coordinated Science Laboratory Information Trust Institute University of Illinois Urbana-Champaign, IL, USA [email protected] Abstract been used to conduct various studies of attackers [1, 9] and analysis of cyber crimes such as unsollicited elec- Protecting computer and information systems from secu- tronic mails, phishing [10], identity theft and denial of rity attacks is becoming an increasingly important task service. The computer security community has used hon- for system administrators. Honeypots are a technol- eypots to analyze different techniques deployed by the ogy often used to detect attacks and collect information attackers to reach their objectives. Attackers’ arsenal about techniques and targets (e.g., services, ports, oper- includes distributed denial of service [24], botnets [2], ating systems) of attacks. However, managing a large worms [11] or SPAM [15]. However few studies focus and complex network of honeypots becomes a challenge on the usage of honeypots data to help network adminis- given the amount of data collected as well as the risk that trators to better protect their production networks. Hon- the honeypots may become infected and start attacking eypot deployment is challenging and the architecture of other machines. In this paper, we present DarkNOC, a such networks is complex. For example, distributed hon- management and monitoring tool for complex honeynets eynets require secure tunnels and different levels of pro- consisting of different types of honeypots as well as other tection must be in place to ensure a total containment of data collection devices. DarkNOC has been actively used attacks targeting the honeypots. In addition, honeynets to manage a honeynet consisting of multiple subnets and require constant monitoring to guarantee that protection hundreds of IP addresses. This paper describes the archi- systems (for example firewalls, traffic shappers) and data tecture and a number of case studies demonstrating the collection are operating correctly. Depending on the size use of DarkNOC. of the honeynet, the volume of data collected can be im- portant and impacts significantly data processing and ex- 1 Introduction traction. To be integrated as a security tool, honeypots data must be presented and translated in meaningful way Because of the value of the data they store and the re- to network administrators. sources they provide, information systems become tar- In this paper, we introduce DarkNOC, a solution de- gets for attackers and must be protected. To better se- signed to efficiently process large amount of malicious cure computer systems from external threats, security traffic received by a large honeynet, and to provide a researchers aim to understand attackers and the differ- user-friendly Web interface to highlight potential com- ent techniques they use to compromise computers and promised hosts to security administrators, as well as to achieve their goals. One possible approach is to use a provide the overall network security status. DarkNOC is target computer, called a honeypot, which is not used used to manage the UMD honeynet, a network of 2,000 by normal users. Therefore, all the activity towards this honeypots from which information about attacks is con- computer can be considered malicious. tinuously extracted and provided to the security team to Individual honeypots or networks of honeypots have help them better protect the production network. The rest of the paper is organized as follows. In Sec- • Snort Events: Snort [20] is an Intrusion Detection tion 2, we provide an overview of the architecture and System (IDS) for detecting attacks and potential in- operation of DarkNOC. In Section 3, we describe the trusions. Snort provides information about the types outputs and views provided by the DarkNOC. We pro- of attacks used against the honeypots. vide a number of case studies using DarkNOC in Section 4. Finally we review the related work in Section 5, we • Malware Collection: Nepenthes acts as a passive provide some remarks on future work in Section 6 and malware collector by emulating common service conclude the paper in Section 7. vulnerabilities and allowing attackers to inject the malware binaries. Nepenthes provides a log of each malware submission containing information such as 2 DarkNOC Architecture the date and the vulnerability used but also the bi- nary injected. This allows DarkNOC to see what This section describes what DarkNOC does, how it col- kinds of malware are successfully uploaded, the se- lects data, and its internal structure. curity signatures, and port used. It also allows to measure the efficiency of the security solution pro- tecting the network. 2.1 System Architecture DarkNOC manages multiple types of honeypots and in- 2.2 DarkNOC Software Architecture formation sources as illustrated in Figure 1. The UMD The design of the DarkNOC software architecture was honeynet consists of low interaction honeypots (LIHs) driven by the following constraints: such as Nepenthes [3] as well as high-interaction honey- pots (HIHs) consisting of virtual or physical machines • The aesthetics from the user’s point of view: The running real operating systems, applications, and ser- user interface should be easy to access and the im- vices [5]. The UMD honeynet supports multiple sub- portant data should be automatically highlighted. nets consisting of IP addresses contributed by different This interface should be highly portable so that organizations participating in the research. DarkNOC users can use different operating systems and access collects multiple sources of information from different the system from different geographic locations (i.e., devices (e.g., NetFlow from Gateway, Snort events from not tied to one dedicated machine). Snort Sensors [20], and malware from Nepenthes), an- alyzes the data, and presents it to users in an efficient • Speed: The user interface must be fast and the user and actionable manner. The details of the data views and should not have to wait for the results to be dis- their use in analyzing security incidents are discussed in played. Processing high volumes of data can be Sections 3 and 4. time consuming and if the processing is started only The current information sources consist of the follow- when the user requests a data view, the response ing: time may not be satisfactory. Therefore, our sys- tem uses data pre-processing when possible to en- sure fast response. • NetFlow Data: DarkNOC uses nfdump1 to extract NetFlow data collected on the main gateway of the • Data validity: The data displayed should be reason- honeypots. The flow data provides enough infor- ably up to date and reflect the current activity. mation to determine the number of attackers, the different source and destination IP addresses, and To meet these requirements, the application software the different source and destination ports. Specifi- has been divided into three different parts: 1) a graphical cally, each NetFlow record summarizes communi- Web front-end, 2) back-end, and 3) alerting module. The cation between two network end points (defined by front-end generates a Web page displaying the different the IP addresses and port numbers of the end points) information. The back-end extracts the necessary data including the time, duration, and numbers of bytes from the flows and creates the different graphs. and packets (see example below), but does not con- tain any payload information (i.e., content of the Back-end Module: Written in Perl, the back-end mod- messages transmitted). ule is a background process that updates the information Date flow start Duration Port Src IP:Port -> Dst IP:Port Packets Bytes Flows displayed by the front-end every 5 minutes based on the 2010-02-09 06:43:... 4294966.937 TCP 218.8.251.187:20347 -> x.x.x.x:80 2 94 1 2010-02-09 06:43:... 4294966.977 TCP 218.8.251.187:20347 -> x.x.x.x:80 2 94 1 NetFlow data. The separation of flow processing from the display was necessary to guarantee a fast response 1http://nfdump.sourceforge.net/ time at the user interface, because the extraction of flow 2 Figure 1: System architecture data can be time consuming. Since the flow data is up- A lock file prevents multiple executions of this process at dated every 5 minutes by the flow collector, a continu- the same time. For each subnet and the global view, the ous live update of the displayed views is unnecessary. back-end generates the different graphs, the list of desti- However it requires the tool to process the new flow files nation ports, the list of attackers and the list of targeted within 5 minutes. DarkNOC provides information for honeypots. The graphs are created using RRDTool2, an the last 24 hours and the last 5 minutes. Two different open source tool for storage and retrieval of time series. processes generate the 24 hours and 5 minutes statistics. For about 2,000 IP addresses, an average of 15,995 flows Graphical User Interface: The graphical user inter- are generated every 5 minutes representing about 5 mil- face organizes the different data necessary to present a lion flows per day. It takes an average of 7.4 seconds summary of the honeypots activity. Web technologies to process a newly created flow file. Given this num- such as the PHP language and Cascading Style Sheets ber, DarkNOC is able to process almost a hundred times are used. A Web page is extremely portable and requires more flows within 5 minutes. Generating the statistics on no configuration on the client side. Figure 2 shows the the last 24 hours is computationally more expensive and homepage of DarkNOC.
Recommended publications
  • A Comparative Analysis of Open- Source Intrusion Detection Systems
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science Chair of Network Software A COMPARATIVE ANALYSIS OF OPEN- SOURCE INTRUSION DETECTION SYSTEMS Master’s Thesis ITI70LT Student: Mauno Pihelgas Student code: 106497IVCMM Advisor: Risto Vaarandi, Ph.D Tallinn 2012 Declaration I hereby declare that I am the sole author of this thesis. The work is original and has not been submitted for any degree or diploma at any other University. I further declare that the material obtained from other sources has been duly acknowledged in the thesis. ……………………………………. ……………………………… (date) (signature) 2 3 List of Acronyms and Abbreviations BSD license A class of extremely simple and very liberal licenses for computer software. Acronym BSD is short for Berkley Source Distribution. [1] CERT Computer Emergency Response Team. CPU Central Processing Unit. DoS Denial of Service. GNU A recursive acronym for GNU's Not Unix. [2] GNU GPL GNU General Public License. The most widely used license for free software. [2] GNU GRUB A multi-boot boot loader responsible for loading and transferring control to the operating system kernel. GPU Graphics processing unit. A processing unit on a graphics cards. HDD Hard Disk Drive. ICMP Internet Control Message Protocol. One of the core protocols of the Internet Protocol suite. IDS Intrusion Detection System. IPS Intrusion Protection System. md5sum A program used to calculate and verify 128-bit MD5 hashes. NIC Network Interface Card. NIDS Network-based Intrusion Detection System. Nmap Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. [3] PCAP A libpcap library file format that is the primary capture format for many networking tools.
    [Show full text]
  • Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants
    Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants A Letter Report to the U.S. NRC January 27, 2012 Prepared by: Cynthia K. Veitch, Susan Wade, and John T. Michalski Sandia National Laboratories P.O. Box 5800 Albuquerque, New Mexico 87185 Prepared for: Paul Rebstock, NRC Program Manager U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Engineering Digital Instrumentation & Control Branch Washington, DC 20555-0001 U.S. NRC Job Code: JCN N6116 Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors.
    [Show full text]
  • (Ids) Snort Dan Suricata Berbasis Aturan/Rules Standar Pengembang
    PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN SURICATA BERBASIS ATURAN/RULES STANDAR PENGEMBANG SKRIPSI Diajukan untuk Memenuhi Salah Satu Syarat Memperoleh Gelar Sarjana Komputer Program Studi Teknik Informatika Oleh : Benedictus Yoga Pradana 095314040 HALAMAN JUDUL PROGRAM STUDI TEKNIK INFORMATIKA JURUSAN TEKNIK INFORMATIKA FAKULTAS SAINS DAN TEKNOLOGI UNIVERSITAS SANATA DHARMA YOGYAKARTA 2016 i PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI COMPARING DETECTION CAPABILITY OF SNORT AND SURICATA INTRUSION DETECTION SYSTEM (IDS) BASED ON DEVELOPER’S STANDARD RULES A Thesis Presented as Partial Fulfillment ofThe Requirements to Obtain Sarjana Komputer Degree in Informatics Engineering By : Benedictus Yoga Pradana 095314040 INFORMATICS ENGINEERING STUDY PROGRAM INFORMATICS ENGINEERING DEPARTMENT FACULTY OF SCIENCE AND TECHNOLOGY SANATA DHARMAUNIVERSITY YOGYAKARTA 2016 ii PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI HALAMAN PERSETUJUAN SKRIPSI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN SURICATA BERBASIS ATURAN/RULES STANDAR PENGEMBANG Oleh: Benedictus Yoga Pradana NIM: 095314040 Telah disetujui Oleh: Pembimbing Iwan Binanto, S.Si., M.Cs. Pada tanggal: iii PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI ALAMAN PENGESAHAN SKRIPSI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN
    [Show full text]
  • Intrusion Detection System and Intrusion Prevention System with Snort Provided by Security Onion
    Bezborodov Sergey Intrusion Detection System and Intrusion Prevention System with Snort provided by Security Onion. Bachelor’s Thesis Information Technology May 2016 DESCRIPTION Date of the bachelor's thesis 06.05.2016 Author(s) Degree programme and option Bezborodov Sergey Information Technology Name of the bachelor's thesis Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. Abstract In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion environment and check what features it provides for processing with Snort. During the work I needed to figure out the pros and cons of using Security Onion with Snort as a security system for network. I compared it with alternatives and briefly describe it. As result I installed Security Onion, work with the environment, configured different features, created and modified rules and so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make comparison with another one and just get familiar with the network security tools. Also, this thesis can be a part of big research of network security tools, because now is impossible to find such detailed guides and literatures about any IDS/IPS tools. It is a good idea to combine many researches about it and make a good library. This thesis can be used for further development of Snort and Security Onion as it only on the development phase now, it will provide base for new researching with new versions.
    [Show full text]
  • Part I ATTACK VECTORS
    Attack Simulation and Threat Modeling Olu Akindeinde February 8, 2010 Copyright © 2009 Olu Akindeinde Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in Appendix B entitled "GNU Free Documentation License". 2 ATTACK SIMULATION AND THREAT MODELING i PREFACE “The purpose of computing is insight not numbers” I wrote this book as a direct consequence of Security Analysis and Data Visualization1. A lot of ground rules were laid there - we simply follow up here. Attack Simulation and Threat Modeling explores the abundant resources available in advanced security data collection, processing and mining. It is often the case that the essential value inherent in any data collection method is only as good as the processing and mining technique used. Therefore, this book attempts to give insight into a number of alternative security and attack analysis methods that leverage techniques adopted from such subject areas as statistics, AI, data mining, graphics design, pattern recognition and to some extent psychology and economics. As security design and implementation become major components of the overall enterprise architecture and data collection tools improve and evolve, the ability to collect data will no doubt increase dramatically. This then brings us to the value of the data which is often only as useful as what the analysis can shape it into. Whilst the security process itself is key, the collection, processing and mining techniques used to analyze the data are even more important.
    [Show full text]
  • Implementation of a Distributed Intrusion Detection and Reaction System
    Mestrado em Engenharia Inform´atica Disserta¸c~ao Relat´orioFinal Implementation of a distributed intrusion detection and reaction system Jo~aoPedro dos Santos Soares [email protected] Orientador: Prof. Dr. Jorge Granjal Co-Orientador: Eng. Ricardo Ruivo Data: 1 de Setembro de 2016 1 Mestrado em Engenharia Inform´atica Disserta¸c~ao Relat´orioFinal Implementation of a distributed intrusion detection and reaction system Jo~aoPedro dos Santos Soares [email protected] Orientador: Prof. Dr. Jorge Granjal Co-Orientador: Eng. Ricardo Ruivo J´uriArguente: Prof. Dr. M´arioRela J´uriVogal: Prof. Dr. Paulo Sim~oes Data: 1 de Setembro de 2016 3 Abstract Security was not always an important aspect in terms of networking and hosts. Nowa- days, it is absolutely mandatory. Security measures must make an effort to evolve at the same rate, or even at a higher rate, than threats, which is proving to be the most difficult of tasks. In this report we will detail the process of the implementation of a real distributed intrusion detection and reaction system, that will be responsible for securing a core set of networks already in production, comprising of thousands of servers, users and their respec- tive confidential information. Keywords: intrusion detection, intrusion prevention, host, network, security, threat, vul- nerability, hacking 5 Acknowledgments As we step into the most important project of my student life, there's a couple of people to whom I am extremely grateful, without them, this project and my life in general wouldn't be the same. I want to start by thanking my supervisor: Professor Jorge Granjal, who I quickly grew to admire for his dedication to this project.
    [Show full text]
  • Toolsmith Suricata
    toolsmith ISSA Journal | August 2010 Suricata: An Introduction By Russ McRee – ISSA member, Puget Sound (Seattle), USA Chapter mentations.2 I’ll include a bit more on the HTP Library cour- Prerequisites tesy of Ivan below. *nix operating system (Windows binaries Matt Jonkman, the OISF president and board member, of- pending) fered a features table that helps further exemplify Suricata’s capabilities. s I prepare this month’s column for your reading Existing IDS/IPS Engines Suricata pleasure, I also contemplate how to pack every- Features (Open and Commercial) (by the OISF) A thing I want to share with you at the ISSA Interna- Multi-Threaded Processing No Yes tional Conference (September 15-17, 2010 in Atlanta) into a Complete IPv6 Support Some Complete 50-minute session. That challenge is not unlike how I might IP Reputation Cisco Only Yes (soon) share everything I want you to know about Suricata in 1500 +/- words; pretty tough, but I’ll give it a shot. Automated Protocol Detection No Yes GPU Acceleration No Yes Suricata is the primary offering from the Open Information Multi-Platform Native Hard- No Yes Security Foundation (OISF), a non-profit foundation orga- ware Acceleration Support nized to build a next generation IDS/IPS engine, with funded Global Variables/Flowbits No Yes (soon) support from the Department of Homeland Security’s Direc- torate for Science and Technology HOST program (Home- Full Windows Support Some Yes land Open Security Technology) and the Navy’s Space and Inline Windows Support No Yes Naval Warfare Systems Command (SPAWAR). GeoIP Lookups No Yes (soon) To that end, Suricata is an open source, next generation in- Advanced HTTP Parsing No Yes trusion detection and prevention engine.
    [Show full text]
  • Suricata: Caso Di Studio Di Intrusion Detection and Prevention System
    Università degli Studi di Camerino SCUOLA DI SCIENZE E TECNOLOGIE Corso di Laurea in Informatica (Classe L-31) Suricata: caso di studio di Intrusion Detection and Prevention System Laureando Relatore Mirco Pazzaglia Prof. Fausto Marcantoni Matricola 081190 A.A. 2011/2012 «Learn the rules so you know how to break them properly.» Dalai Lama «The quieter you become, the more you can hear.» Ram Dass Ringraziamenti «Ringrazio tutti e tutto, niente e nessuno» I miei più sentiti ringraziamenti vanno a tutti coloro che hanno fatto e fanno parte della mia vita. Ringrazio la mia famiglia per il supporto e l'aiuto che mi ha fornito, e che da sempre mi segue in ogni mio passo verso il futuro. Ringrazio Noemi, mia sorella, che da sempre crede in me e mi sprona a dare il meglio dandomi la fiducia di cui ho bisogno. Non posso mancare di ringraziare tutti i miei amici, da coloro che mi seguono dalla mia infanzia a quelli che si sono aggiunti nel corso degli eventi della mia vita. Compagni d'ogni momento, dal più triste al più felice, hanno tutti contribuito ad arricchire il mio essere e sono loro infinitamente grato per le esperienze che abbiamo condiviso. Un ringraziamento anche ai miei colleghi di studio con i quali c'è sempre stato aiuto e supporto reciproco. Nello specifico vorrei ringraziare i miei due, oltre che amici, colleghi Moschettieri Giacomo e Giacomo con i quali ho condiviso i momenti migliori di questo percorso universitario, siano stati di studio, di svago o di brainstorming. Ringrazio il corpo docenti del corso di laurea in Informatica dell'Università di Camerino e nello specifico il Prof.
    [Show full text]
  • Tiago Filipe Mesquita Da Cunha Deteção De Falsos Alertas De Intrusão Em Redes De Computadores
    Tiago Filipe Mesquita da Cunha Deteção de Falsos Alertas de Intrusão em Redes de Computadores Dissertação de Mestrado Mestrado Integrado em Engenharia Eletrónica Industrial e Computadores Trabalho efetuado sob a orientação do Professor Doutor Henrique Santos Professor Doutor Sérgio Lopes janeiro de 2019 DIREITOS DE AUTOR E CONDIÇÕES DE UTILIZAÇÃO DO TRABALHO POR TERCEIROS Este é um trabalho académico que pode ser utilizado por terceiros desde que respeitadas as regras e boas práticas internacionalmente aceites, no que concerne aos direitos de autor e direitos conexos. Assim, o presente trabalho pode ser utilizado nos termos previstos na licença abaixo indicada. Caso o utilizador necessite de permissão para poder fazer um uso do trabalho em condições não previstas no licenciamento indicado, deverá contactar o autor, através do RepositóriUM da Universidade do Minho. Licença concedida aos utilizadores deste trabalho Atribuição-NãoComercial-CompartilhaIgual CC BY-NC-SA https://creativecommons.org/licenses/by-nc-sa/4.0/ ii AGRADECIMENTOS Este trabalho de dissertação representa o término de uma importante etapa de formação na minha vida, com as mais variadas aprendizagens, tanto a nível pessoal como académico. Para tal, devo e quero expressar, neste pequeno texto, a minha gratidão a todos os intervenientes, que direta ou indiretamente contribuíram para este caminho efetuado. Em primeiro lugar, agradeço aos meus pais, pela oportunidade que me foi concedida de continuar a formação académica e enveredar no ensino superior, assim como pelo acompanhamento, paciência e apoio. De igual modo, um especial agradecimento à minha namorada, pelo carinho, conforto e incentivo, nestas e noutras circunstâncias de maior pressão, que tanto ajudaram a enfrentar as adversidades.
    [Show full text]
  • Analysis of a Suspect Program: Linux
    Chapter 10 Analysis of a Suspect Program: Linux Solutions in this chapter: ■ Analysis Goals ■ Guidelines for Examining a Malicious Executable Program ■ Establishing the Environment Baseline ■ Pre-Execution Preparation: System and Network Monitoring ■ Defeating Obfuscation: Removing the Specimen from its Armor ■ Exploring and Verifying Attack Functionality ■ Assessing Additional Functionality and Scope of Threat ■ Other Considerations ˛ Summary 575 576 Chapter 10 • Analysis of a Suspect Program: Linux Introduction In Chapter 8 we conducted a preliminary analysis of a suspicious file, sysfile, in the case study “James and the Flickering Green Light.” Through the file profiling methodology, tools and techniques discussed in the chapter, we gained substantial insight into the dependencies, symbols and strings associated with the file, and in turn, a predictive assessment as to program’s nature and functionality. In particular, the information we collected from sysfile thus far has revealed that it is an ELF executable file that has not been obfuscated with packing or encryption, and is identified by numerous anti-virus engines as being a backdoor or DDoS agent. Further, the file dependencies discovered in sysfile suggest network capability. Lastly, symbol files referenced a file, kaiten.c, which we learned through research is code relating to known IRC bot program with denial of service capabilities. Building on this information, in this chapter, we will further explore nature, purpose and function- ality of sysfile by conducting a dynamic and static analysis of the binary. Recall that dynamic or behavioral analysis involves executing the code and monitoring its behavior, interaction and effect on the host system, whereas, static analysis is process of analyzing executable binary code without actually executing the file.
    [Show full text]