VirtualHoneypots:FromBotnetTrackingto
IntrusionDetection
byNielsProvos;ThorstenHolz
Publisher:AddisonWesleyProfessional
PubDate:July16,2007
PrintISBN-10:0-321-33632-1
PrintISBN-13:978-0-321-33632-3
Pages:480
TableofContents|Index

Overview
PraiseforVirtualHoneypots
"Apower-packedresourceoftechnical,insightfulinformation
thatunveilstheworldofhoneypotsinfrontofthereader's
eyes."
—LennyZeltser,InformationSecurityPracticeLeaderatGemini
Systems
"Thisisoneofthemust-readsecuritybooksoftheyear."
—CyrusPeikari,CEO,AirscannerMobileSecurity,author,
securitywarrior
"Thisbookclearlyranksasoneofthemostauthoritativeinthe
fieldofhoneypots.Itiscomprehensiveandwellwritten.The
authorsprovideuswithaninsider'slookatvirtualhoneypots
andevenhelpusinsettingupandunderstandinganotherwise
verycomplextechnology."
—StefanKelm,SecorvoSecurityConsulting
"VirtualHoneypotsisthebestreferenceforhoneypotstoday.
SecurityexpertsNielsProvosandThorstenHolzcoveralarge
breadthofcutting-edgetopics,fromlow-interactionhoneypots

tobotnetsandmalware.Ifyouwanttolearnaboutthelatest
typesofhoneypots,howtheywork,andwhattheycandofor
you,thisistheresourceyouneed."
—LanceSpitzner,Founder,HoneynetProject
"Whethergatheringintelligenceforresearchanddefense,
quarantiningmalwareoutbreakswithintheenterprise,or
tendinghackerantfarmsathomeforfun,you'llfindmany
practicaltechniquesintheblackartofdeceptiondetailedinthis
book.Honeypotmagicrevealed!"
—DougSong,ChiefSecurityArchitect,ArborNetworks
"Seekingthesafestpathsthroughtheunknownsunnyislands
calledhoneypots?Tryingtoavoidgreedypiratescatching
treasuresdeeperanddeeperbeyondyourports?Withthis
book,anyreaderwilldefinitelygettherightmaptohandle
currentcyber-threats.
Designedbytwofamouswhitehats,NielsProvosandThorsten
Holz,itcarefullyteacheseverythingfromtheconceptsto
practicalreal-lifeexampleswithvirtualhoneypots.Themain
strengthofthisbookreliesinhowitcoverssomanyusesof
honeypots:improvingintrusiondetectionsystems,slowing
downandfollowingincomingattackers,catchingandanalyzing
0-daysormalwaresorbotnets,andsoon.
Sailingthehighseasofourcyber-societyorsurfingtheNet,
fromstudentstoexperts,it'samust-readforpeoplereally
awareofcomputersecurity,whowouldliketofightagainst
black-hatsflagswithadvancedmoderntoolslikehoneypots."
—LaurentOudot,ComputerSecurityExpert,CEA
"ProvosandHolzhavewrittenthebookthatthebadguysdon't
wantyoutoread.Thisdetailedandcomprehensivelookat
honeypotsprovidesstep-by-stepinstructionsontrippingup

attackersandlearningtheirtrickswhilelullingthemintoafalse
senseofsecurity.Whetheryouareapractitioner,aneducator,


orastudent,thisbookhasatremendousamounttooffer.The
underlyingtheoryofhoneypotsiscovered,butthemajorityof
thetextisa'how-to'guideonsettinguphoneypots,configuring
them,andgettingthemostoutofthesetraps,whilekeeping
actualsystemssafe.Notsincetheinventionofthefirewallhasa
toolasusefulasthisprovidedsecurityspecialistswithanedge
inthenever-endingarmsracetosecurecomputersystems.
VirtualHoneypotsisamust-readandbelongsonthebookshelf
ofanyonewhoisseriousaboutsecurity."
—AvielD.Rubin,Ph.D.,ComputerScienceProfessorand
TechnicalDirectoroftheInformationSecurityInstituteatJohns
HopkinsUniversity,andPresidentandFounder,Independent
SecurityEvaluators
"Anawesomecoverageofmodernhoneypottechnologies,both
conceptualandpractical."
—AntonChuvakin
"Honeypotshavegrownfromsimplegeektoolstokey
componentsinresearchandthreatmonitoringatmajor
entreprisesandsecurityvendors.ThorstenandNiels
comprehensivecoverageoftoolsandtechniquestakesyou
behindthescenewithreal-worldexamplesofdeployment,data
acquisition,andanalysis."
—NicolasFischbach,SeniorManager,NetworkEngineering
Security,COLTTelecom,andFounderofSécurité.Org
HoneypotshavedemonstratedimmensevalueinInternet
security,butphysicalhoneypotdeploymentcanbeprohibitively

complex,time-consuming,andexpensive.Now,there'sa
breakthroughsolution.Virtualhoneypotssharemanyattributes
oftraditionalhoneypots,butyoucanrunthousandsofthemon
asinglesystem-makingthemeasierandcheapertobuild,
deploy,andmaintain.
Inthishands-on,highlyaccessiblebook,twoleadinghoneypot
pioneerssystematicallyintroducevirtualhoneypottechnology.


Onestepatatime,you'lllearnexactlyhowtoimplement,
configure,use,andmaintainvirtualhoneypotsinyourown
environment,evenifyou'veneverdeployedahoneypotbefore.
You'lllearnthroughexamples,includingHoneyd,theacclaimed
virtualhoneypotcreatedbycoauthorNielsProvos.Theauthors
alsopresentmultiplereal-worldapplicationsforvirtual
honeypots,includingnetworkdecoy,wormdetection,spam
prevention,andnetworksimulation.
Afterreadingthisbook,youwillbeableto
Comparehigh-interactionhoneypotsthatprovidereal
systemsandservicesandthelow-interactionhoneypots
thatemulatethem
InstallandconfigureHoneydtosimulatemultipleoperating
systems,services,andnetworkenvironments
Usevirtualhoneypotstocaptureworms,bots,andother
malware
Createhigh-performance"hybrid"honeypotsthatdrawon
technologiesfrombothlow-andhigh-interactionhoneypots
Implementclienthoneypotsthatactivelyseekout
dangerousInternetlocations
Understandhowattackersidentifyandcircumvent

honeypots
Analyzethebotnetsyourhoneypotidentifies,andthe
malwareitcaptures
Previewthefutureevolutionofbothvirtualandphysical
honeypots


VirtualHoneypots:FromBotnetTrackingto
IntrusionDetection
byNielsProvos;ThorstenHolz
Publisher:AddisonWesleyProfessional
PubDate:July16,2007
PrintISBN-10:0-321-33632-1
PrintISBN-13:978-0-321-33632-3
Pages:480
TableofContents|Index

Copyright
PraiseforVirtualHoneypots
Preface
Acknowledgments
AbouttheAuthors
Chapter1.HoneypotandNetworkingBackground
Section1.1.BriefTCP/IPIntroduction
Section1.2.HoneypotBackground
Section1.3.ToolsoftheTrade
Chapter2.High-InteractionHoneypots
Section2.1.AdvantagesandDisadvantages
Section2.2.VMware
Section2.3.User-ModeLinux

Section2.4.Argos
Section2.5.SafeguardingYourHoneypots
Section2.6.Summary
Chapter3.Low-InteractionHoneypots
Section3.1.AdvantagesandDisadvantages
Section3.2.DeceptionToolkit
Section3.3.LaBrea
Section3.4.TinyHoneypot


Section3.5.GHH—GoogleHackHoneypot
Section3.6.PHP.HoP—AWeb-BasedDeceptionFramework
Section3.7.SecuringYourLow-InteractionHoneypots
Section3.8.Summary
Chapter4.Honeyd—TheBasics
Section4.1.Overview
Section4.2.DesignOverview
Section4.3.ReceivingNetworkData
Section4.4.RuntimeFlags
Section4.5.Configuration
Section4.6.ExperimentswithHoneyd
Section4.7.Services
Section4.8.Logging
Section4.9.Summary
Chapter5.Honeyd—AdvancedTopics
Section5.1.AdvancedConfiguration
Section5.2.EmulatingServices
Section5.3.Subsystems
Section5.4.InternalPythonServices
Section5.5.DynamicTemplates

Section5.6.RoutingTopology
Section5.7.Honeydstats
Section5.8.Honeydctl
Section5.9.Honeycomb
Section5.10.Performance
Section5.11.Summary
Chapter6.CollectingMalwarewithHoneypots
Section6.1.APrimeronMaliciousSoftware
Section6.2.Nepenthes—AHoneypotSolutiontoCollect
Malware
Section6.3.Honeytrap
Section6.4.OtherHoneypotSolutionsforLearningAbout


Malware
Section6.5.Summary
Chapter7.HybridSystems
Section7.1.Collapsar
Section7.2.Potemkin
Section7.3.RolePlayer
Section7.4.ResearchSummary
Section7.5.BuildingYourOwnHybridHoneypotSystem
Section7.6.Summary
Chapter8.ClientHoneypots
Section8.1.LearningMoreAboutClient-SideThreats
Section8.2.Low-InteractionClientHoneypots
Section8.3.High-InteractionClientHoneypots
Section8.4.OtherApproaches
Section8.5.Summary
Chapter9.DetectingHoneypots

Section9.1.DetectingLow-InteractionHoneypots
Section9.2.DetectingHigh-InteractionHoneypots
Section9.3.DetectingRootkits
Section9.4.Summary
Chapter10.CaseStudies
Section10.1.Blast-o-Mat:UsingNepenthestoDetect
InfectedClients
Section10.2.SearchWorms
Section10.3.RedHat8.0Compromise
Section10.4.Windows2000Compromise
Section10.5.SUSE9.1Compromise
Section10.6.Summary
Chapter11.TrackingBotnets
Section11.1.BotandBotnet101
Section11.2.TrackingBotnets
Section11.3.CaseStudies


Section11.4.DefendingAgainstBots
Section11.5.Summary
Chapter12.AnalyzingMalwarewithCWSandbox
Section12.1.CWSandboxOverview
Section12.2.Behavior-BasedMalwareAnalysis
Section12.3.CWSandbox—SystemDescription
Section12.4.Results
Section12.5.Summary
Bibliography
Index



Copyright
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Where
thosedesignationsappearinthisbook,andAddison-Wesley
wasawareofatrademarkclaim,thedesignationshavebeen
printedwithinitialcapitallettersorinallcapitals.
Theauthorsandpublisherhavetakencareinthepreparationof
thisbook,butmakenoexpressedorimpliedwarrantyofany
kindandassumenoresponsibilityforerrorsoromissions.No
liabilityisassumedforincidentalorconsequentialdamagesin
connectionwithorarisingoutoftheuseoftheinformationor
programscontainedherein.
Thepublisheroffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales,which
mayincludeelectronicversionsand/orcustomcoversand
contentparticulartoyourbusiness,traininggoals,marketing
focus,andbrandinginterests.Formoreinformation,please
contact:
U.S.CorporateandGovernmentSales
(800)382-3419

ForsalesoutsideoftheU.S.,pleasecontact:
InternationalSales

VisitusontheWeb:www.awprofessional.com
LibraryofCongressCataloging-in-PublicationData
Provos,Niels.
Virtualhoneypots/NielsProvosandThorstenHolz.
p.cm.
Includesbibliographicalreferencesandindex.

ISBN978-0-321-33632-3(papaerback:alk.paper)


1.Computersecurity.I.Holz,Thorsten.II.Title.
QA76.9.A25P7852007005.8—dc22
2007020022
Copyright©2008PearsonEducation,Inc.
Allrightsreserved.PrintedintheUnitedStatesofAmerica.This
publicationisprotectedbycopyright,andpermissionmustbe
obtainedfromthepublisherpriortoanyprohibited
reproduction,storageinaretrievalsystem,ortransmissionin
anyformorbyanymeans,electronic,mechanical,
photocopying,recording,orlikewise.Forinformationregarding
permissions,writeto:
PearsonEducation,Inc.
RightsandContractsDepartment
75ArlingtonStreet,Suite300
Boston,MA02116
Fax:(617)848-7047
ISBN13:978-0-321-33632-3
TextprintedonrecycledpaperatCourierinStoughton,
Massachusetts.
Firstprinting,July2007


PraiseforVirtualHoneypots
"Apower-packedresourceoftechnical,insightful
informationthatunveilstheworldofhoneypotsinfrontof
thereader'seyes."
—LennyZeltser,InformationSecurityPracticeLeaderat

GeminiSystems
"Thisisoneofthemust-readsecuritybooksoftheyear."
—CyrusPeikari,CEO,AirscannerMobileSecurity,author,
securitywarrior
"Thisbookclearlyranksasoneofthemostauthoritativein
thefieldofhoneypots.Itiscomprehensiveandwellwritten.
Theauthorsprovideuswithaninsider'slookatvirtual
honeypotsandevenhelpusinsettingupand
understandinganotherwiseverycomplextechnology."
—StefanKelm,SecorvoSecurityConsulting
"VirtualHoneypotsisthebestreferenceforhoneypots
today.SecurityexpertsNielsProvosandThorstenHolz
coveralargebreadthofcutting-edgetopics,fromlowinteractionhoneypotstobotnetsandmalware.Ifyouwant
tolearnaboutthelatesttypesofhoneypots,howthey
work,andwhattheycandoforyou,thisistheresourceyou
need."
—LanceSpitzner,Founder,HoneynetProject
"Whethergatheringintelligenceforresearchanddefense,
quarantiningmalwareoutbreakswithintheenterprise,or
tendinghackerantfarmsathomeforfun,you'llfindmany
practicaltechniquesintheblackartofdeceptiondetailedin
thisbook.Honeypotmagicrevealed!"
—DougSong,ChiefSecurityArchitect,ArborNetworks


"Seekingthesafestpathsthroughtheunknownsunny
islandscalledhoneypots?Tryingtoavoidgreedypirates
catchingtreasuresdeeperanddeeperbeyondyourports?
Withthisbook,anyreaderwilldefinitelygettherightmap
tohandlecurrentcyber-threats.

Designedbytwofamouswhitehats,NielsProvosand
ThorstenHolz,itcarefullyteacheseverythingfromthe
conceptstopracticalreal-lifeexampleswithvirtual
honeypots.Themainstrengthofthisbookreliesinhowit
coverssomanyusesofhoneypots:improvingintrusion
detectionsystems,slowingdownandfollowingincoming
attackers,catchingandanalyzing0-daysormalwaresor
botnets,andsoon.
Sailingthehighseasofourcyber-societyorsurfingtheNet,
fromstudentstoexperts,it'samust-readforpeoplereally
awareofcomputersecurity,whowouldliketofightagainst
black-hatsflagswithadvancedmoderntoolslike
honeypots."
—LaurentOudot,ComputerSecurityExpert,CEA
"ProvosandHolzhavewrittenthebookthatthebadguys
don'twantyoutoread.Thisdetailedandcomprehensive
lookathoneypotsprovidesstep-by-stepinstructionson
trippingupattackersandlearningtheirtrickswhilelulling
themintoafalsesenseofsecurity.Whetheryouarea
practitioner,aneducator,orastudent,thisbookhasa
tremendousamounttooffer.Theunderlyingtheoryof
honeypotsiscovered,butthemajorityofthetextisa'howto'guideonsettinguphoneypots,configuringthem,and
gettingthemostoutofthesetraps,whilekeepingactual
systemssafe.Notsincetheinventionofthefirewallhasa
toolasusefulasthisprovidedsecurityspecialistswithan
edgeinthenever-endingarmsracetosecurecomputer
systems.VirtualHoneypotsisamust-readandbelongson
thebookshelfofanyonewhoisseriousaboutsecurity."



—AvielD.Rubin,Ph.D.,ComputerScienceProfessorand
TechnicalDirectoroftheInformationSecurityInstituteat
JohnsHopkinsUniversity,andPresidentandFounder,
IndependentSecurityEvaluators
"Anawesomecoverageofmodernhoneypottechnologies,
bothconceptualandpractical."
—AntonChuvakin
"Honeypotshavegrownfromsimplegeektoolstokey
componentsinresearchandthreatmonitoringatmajor
entreprisesandsecurityvendors.ThorstenandNiels
comprehensivecoverageoftoolsandtechniquestakesyou
behindthescenewithreal-worldexamplesofdeployment,
dataacquisition,andanalysis."
—NicolasFischbach,SeniorManager,NetworkEngineering
Security,COLTTelecom,andFounderofSécurité.Org


Preface
Thisbookisaboutunderstandingcomputersecuritythrough
experiment.Beforenow,youprobablythoughtthatifyour
computerwascompromised,itwastheendoftheworld.But
wearegoingtoshowyouhowtolookatthebrightsideof
break-insandteachyoutoappreciatetheinsightstobegained
frombotnets,worms,andmalware.Ineveryincidentthereisa
lessontobelearned.Onceyouknowaboutthemanydifferent
kindsofhoneypots,youcanturnthetablesonInternet-born
attackers.Thisbookdiscussesavastrangeofdeployment
scenariosforhoneypots,rangingfromtrackingbotnetsto
capturingmalware.Wealsoencourageyoutotakethe
perspectiveofadversariesbyanalyzinghowattackersmightgo

aboutdetectingyourcountermeasures.Butfirstletussetthe
contextappropriately.
Computernetworksconnecthundredsofthousandsofcomputer
systemsacrosstheworld.Weknowthesumofallthese
networksastheInternet.Originallydesignedforresearchand
militaryuse,theInternetbecameenormouslypopularafterTim
Berners-LeeinventedtheHyperTextTransferProtocol(HTTP)in
1990andcreatedtheWorldWideWebasweknowit.Asmore
ofusstartedusingtheNet,almostallofoursocialproblems
transferredintotheelectronicrealmaswell.Forexample,it
washumancuriositythatcreatedthefirstInternetworm.[1]
Scanningnetworksforthenumberofinstalledcomputersor
theirrespectiveconfigurationisanothersignofourcuriosity.In
fact,receivingaconstantstreamofnetworkprobesis
nowadaysconsiderednormalandexpected.Unfortunately,
manyoftheseactivitiesarenolongerbenign.Darkerelements
ofsocietyhavefiguredoutthattheInternetprovidesnew
opportunitiestoturnaquickprofit.Undergroundactivities
rangefromsendingmillionsofspame-mails,identitytheft,and
creditcardfraudtoextortionviadistributeddenialofservice
attacks.


[1]Technically,thefirstnetworkwormwascreatedin1982byShochandHupp

ofXerox'sPARC,whodevelopedwormssuchastheVampireworm,whichwould
seekoutunderutilizedcomputersandhavethemsolvecomplexcomputing
tasks[81].However,inmostminds,InternetwormsstartedwithMorris,who,
amongmanyothercontributions,alsoinventedthebufferoverflow.


AstheInternetbecomesincreasinglypopular,itssecurityisalso
moreimportantforkeepingourelectronicworldhealthyand
functioning.Yet,despitedecadesofresearchandexperience,
wearestillunabletomakesecurecomputersystemsoreven
measuretheirsecurity.Exploitationofnewlydiscovered
vulnerabilitiesoftencatchesusbysurprise.Exploitautomation
andmassivelyglobalscanningforvulnerabilitiesmakeiteasy
foradversariestocompromisecomputersystemsassoonas
theycanlocateitsweaknesses[91].
Tolearnwhichvulnerabilitiesarebeingusedbyadversaries
(andtheymightevenbesomeofwhichweareunaware),we
couldinstallacomputersystemsonanetworkandthen
observewhathappenstoit.Ifthesystemservesnoother
purpose,theneveryattempttocontactitseemssuspect.Ifthe
systemisattacked,wehavelearnedsomethingnew.Wecall
suchasystemahoneypot.Itscompromiseallowsustostudy
whichvulnerabilitywasusedtobreakintoitorwhatan
adversarydoesoncehegainedcompletecontroloverit.A
honeypotcanbeanykindofcomputingsystem.Itmayrunany
operatingsystemandanynumberofservices.Theserviceswe
configuredeterminetheattackvectorsopentoanadversary.
Inthisbook,weoftentalkaboutnefariouscomputeruserswho
wanttobreakintoourhoneypots.Manyreadersmightexpect
thatwewouldcallthesecomputerusershackers,aterm
adaptedanddistortedbeyondrecognitionbythepress.
However,theauthorspreferthetraditionaldefinitionofthe
word:Ahackerisapersonwhofindsclevertechnicalsolutions
toproblems.Althoughthereisnoshortageofgoodhackersout
there,thesupplyofpeoplewhoattemptandsucceedtobreak
intocomputersystemsismuchlarger.Werefertothemas

attackersoradversaries.


Sofar,wehaveclaimedthathoneypotsallowustostudy
adversariesandgaininsightintotheirmotivationsand
techniques,butnowwewillproveittoyouwitharealcase
study.

ARealCase
Thiscasetellsthestoryofanactualcompromiseandwhatwe
learnedfromtheadversaries.Ourhoneypotwasclosely
monitored,andwecouldobserveeverysinglestepthe
adversarytookonoursystem.ThisincidentstartedonApril3,
whenourRedHat8.0-basedhoneypotwascompromiseddueto
weakSSHpasswords.Theadversarygotaccesstobothauser
andtherootaccount.Sheprobablyconsideredherselfvery
luckytohavegainedaccesstoahigh-speeduniversitynetwork.
Whatshedidnotknowwasthatwehadintentionallyinstalled
guessablepasswords.(Evilgrin.)Actually,thiskindofattackis
quitecommon.IfyourunanSSHserveryourself,justtakea
lookatitslogfiles.
Usingourlogfilesandotherinformationgatheredonthe
honeypot,itwaseasytoreconstructtheseriesofeventsthat
tookplace.Asinmanymovies,theattacktookplaceinthe
middleofthenight.Originatingfromauniversityhostin
Norway,theadversaryinitiatedanattackagainstthe
honeypot'sSSHservershortlyaftermidnight.Herautomatic
toolscycledthroughmanythousanddifferentusernamesand
passwordsbeforeshegotluckyandguessedtherootpassword.
Withcompleteandunlimitedaccesstooursystem,the

adversary,arrivingfromanItalianIPaddressthistime,
downloadedseveraltoolsfromdifferentwebserverstofacilitate
hermaliciousactions.AmongthesetoolswasanSSHscanner,
anIRCclient,andarootkit.Notsurprisingly,ouradversary
usedtheSSHscannertofindmoreInternetsystemswithweak
passwords.Inadditiontotherootkit,abackdoorwasinstalled
toallowtheadversarytocomebackatanytimewithoutanyone
noticing.WhentheadversarywasdownloadingthemovieGet
RichOrDieTryin'(Spanish),wedecidedthatthingshadgone


onlongenough,andweshutdownthehoneypot.

AttackTimeline
Ourin-depthinvestigationproducedthefollowingtimelineof
events:
00:23:07AM:Afterseveralminutesofscanning,the
adversarymanagestologinforthefirsttime,utilizingthe
guestaccount.Notsatisfied,theadversarycontinuedto
guesspasswordsforfurtheraccounts.
00:35:53AM:Jackpot!Successfullogininasroot.However,
despitegettingroot,thepasswordguessingcontinues—a
strongindicatorthatwearelookingatacompletely
automatedattack.
00:51:24AM:Theuserguestlogsinbutlogsoffafew
secondslater.Weassumethattheadversarymanually
verifiedthecorrectnessoftheautomaticallyguesseduser
namesandpasswords.
00:52:44AM:Theuserrootlogsin,butthistimefromtheIP
83.103.xxx.xxx.Whileloggedin,threenewusersare

created.Allofthemwithgroupanduid0,theidentityof
thesystemadministrator.
00:54:08AM:Theintruderlogsinusingtheguestaccount
andchangesthepasswordforthisaccount.Shethenstarts
downloadingafilewithhertoolsoftradefromaremote
webserver.
00:54:29AM:Thefilecompletesdownloading.Itcontainsan
SSHscanner,shellscriptstostartit,andtwodictionaryfiles
togenerateusernamesandpasswords.Tensecondslater,
filesxyzand1aredownloadedaswell.Filexyzisanother
dictionaryfileforthepreviouslymentionedSSHscanner.
File1isasimpleshellscript,whichfacilitatestheproper
executionoftheSSHscanner.


00:54:53AM:TheadversaryinitiatesanSSHscanagainst
theIPrange66.252.*.Thescanfinishesafteraboutthree
minutes.Don'tworry:Ourcontrolmechanismsprevented
anyharmtoothermachines.
00:58:18AM:Theguest,george,androotuserslogout.
01:24:34PM:Usergeorgelogsbackin,thistimefromIP
address151.81.xxx.xxx.Theadversaryswitchestotheroot
accountandstartsdownloadingafilecalled90.Aquick
analysisrevealsthatitissomekindofkernelmodifying
program,probablyarootkit.
02:22:43PM:Anotherfileisdownloaded,andtheadversary
alsochangestherootpassword.Thenewfilecontainsa
modifiedSSHserverthatlistensonport3209andanother
SSHscanner.Fromnowon,allconnectionstothehoneypot
weremadethroughthefreshlyinstalledbackdoor.

02:23:32PM:Theadversaryestablishesaconnectiontothe
mailservermta238.mail.re2.yahoo.combutfailstosend
ane-mailduetoimproperformattingoftheMAILFROM
header.
02:31:17PM:Theadversarydownloadsmirkforce.tgz,
whichcontainsamodifiedIRCclient.Amomentlater,she
executestheIRCclientandconnectstoanIRCserver
runningat194.109.xxx.xxx.
02:58:04PM:Theadversaryattemptstodownloadthe
movieGetRichOrDieTryin'viaHTTP.
03:02:05PM:Awhoisqueryisexecutedforthedomains
bogdan.mine.nuandpytycu.ro.
04:46:49PM:TheadversarystartsscanningtheIPrange
125.240.*formoremachineswithweakSSHpasswords.
Shestopsscanningatabout05:01:16PM.


04:58:37PM:Shedownloadsthecompressedfile
scanjapan.tartothe/tmpdirectory.Thefilecontains
anotherSSHscannerwithJapaneseusernameand
passworddictionaries.
05:30:29PM:Itwastimetogohomeandhaveabeer,so
weshutdownthehoneypot.
Oncetheincidentwasover,wehadplentyoftimetoanalyze
whatreallyhappened.Wesavedcopiesofalltoolsinvolvedand
wereabletodeterminetheirpurposeindetail.Forexample,the
installedrootkitwascalledSucKITandhasbeendescribedin
detailinPhrack,issue58[78].SucKITisinstalledbymodifying
kernelmemorydirectlyvia/dev/kmemanddoesnotrequireany
supportforloadablekernelmodules.Amongotherthings,

SucKITprovidesapassword-protectedremoteaccessshell
capableofbypassingfirewallrules.Itsupportsprocess,file,and
connectionhiding,andsurvivesacrossrebootsaswell.
Thereismuchmoretobelearned,andwehavededicatedan
entirechaptertocasestudieslikethis.

TargetAudience
Wewrotethisbooktoappealtoabroadspectrumofreaders.
Forthelessexperiencedwhoareseekinganintroductiontothe
worldofhoneypots,thisbookprovidessufficientbackground
andexamplestosetupanddeployhoneypotsevenifyouhave
neverdonesobefore.Fortheexperiencedreader,thisbook
functionsasareferencebutshouldstillrevealnewaspectsof
honeypotsandtheirdeployment.Besidesprovidingsolid
foundationsforawiderangeofhoneypottechnologies,weare
lookingatthefutureofhoneypotsandhopetostimulateyou
withnewideasthatwillstillbeusefulyearsfromnow.

RoadMaptotheBook
Althoughyouaremorethanwelcometoreadthechaptersin


almostanyorder,hereisachapteroverviewandsome
suggestionsabouttheorderthatyoumayfindhelpful.
Chapter1providesabackgroundonInternetprotocols,
honeypotsingeneral,andusefulnetworkingtools.This
chapterisintendedasastartingpointforreaderswhoare
justlearningaboutthistopic.
Chapters2and3presenthoneypotfundamentalsimportant
forunderstandingtherestofthebook.Weintroducethe

twoprevalenthoneypottypes:high-interactionandlowinteraction.Low-interactionhoneypotsemulateservicesor
operatingsystems,whereashigh-interactionhoneypots
providerealsystemsandservicesforanadversaryto
interactwith.
Chapters4and5focusonHoneyd,apopularopensource
honeypotframeworkthatallowsyoutosetupandrun
hundredsofvirtualhoneypotsonjustasinglephysical
machine.Thevirtualhoneypotscanbeconfiguredtomimic
manydifferentoperatingsystemsandservices,allowing
youtosimulatearbitrarynetworkconfigurations.
Chapter6presentsdifferentapproachesforcapturing
malware,suchaswormsandbots,usinghoneypots.
Becausebotnetsandwormsaresignificantriskstotoday's
Internet,thehoneypotspresentedinthischapterwillhelp
youlearnmoreaboutthesethreats.
Chapter7discussesdifferentapproachesforcreatinghighperformancehoneypotsthatcombinetechnologiesfrom
bothlow-andhigh-interactionhoneypots.Thesehybrid
systemsarecapableofrunninghoneypotsonover60,000
differentIPaddresses.
InChapter8,weturnthetables,andinsteadofwaitingto
beattacked,wepresenttheconceptofclienthoneypots
thatactivelyseekoutdangerousplacesontheInternetto
becompromised.


Takingtheviewpointofanattacker,Chapter9discusses
howtodetectthepresenceofhoneypotsandcircumvent
logging.Thisiswhatadversariesdotomakethelifeof
honeypotoperatorsharder.Byunderstandingtheir
technologies,wearebetterpreparedtodefendagainst

them.
InChapter10,wepresentseveralcasestudiesanddiscuss
whatwelearnedfromdeployingvirtualhoneypotsinthe
realworld.Foreachhoneypotthatwascompromised,we
presentadetailedanalysisoftheattackers'stepsandtheir
tools.
Botnets,networksofcompromisedmachinesunderremote
controlofanattacker,areoneofthebiggestthreatsonthe
Internettoday.Chapter11presentsdetailsonbotnetsand
showswhatkindofinformationcanbelearnedaboutthem
withthehelpofhoneypots.
Becausehoneypotsoftencapturemalware,Chapter12
introducesCWSandbox,atoolthathelpsyouto
automaticallyanalyzethesebinariesbycreatingbehavior
profilesforeachofthem.Weprovideanoverviewof
CWSandboxandexamineasamplemalwarereportingreat
detail.
Ifyouareunfamiliarwithhoneypotsandwanttolearnthe
basicsbeforedelvingintomorecomplextopics,westrongly
encourageyoutostartwithChapters1–3.Thesechapterswill
helpyougetanunderstandingofwhatthemethodologyis
aboutandwhatresultsyoucanexpectfromdeploying
honeypots.
Onceyouknowthebasics,youcandiverightintothemore
advancedtopicsofHoneydinChapters4and5.Chapter6
discussescapturingautonomouslyspreadingmalwarelike
wormsandbots.CloselyrelatedtoChapter6areChapter11on
botnetsandChapter12onmalwareanalysis.Butyoucanalso
learnmoreabouthybridapproachesinChapter7andthenew



conceptofclient-sidehoneypotsinChapter8.Chapters9and
10arealsoratherindependent:Theformerintroducesseveral
waystodetectthepresenceofhoneypots,ariskyoushould
alwayshaveinmind.Thelatterpresentsseveralcasestudies
thatshowyouwhichkindofinformationyoucanlearnwith
honeypotsbasedonreal-worldexamples.
Althoughthechaptersareorganizedtobuildoneachotherand
canbereadintheiroriginalorder,mostchapterscanbe
understoodbythemselvesonceyouarefamiliarwiththebasics
concepts.Ifanychapterlooksparticularlyinterestingtoyou,
don'thesitatetoskipforwardandreadit.

Prerequisites
Whenreadingthisbook,familiaritywiththebasicconceptsof
networksecuritywillprovehelpful.Weexpectyoutobefamiliar
withthetermsfirewallandintrusiondetectionsystem(IDS),
butitisnotnecessaryforyoutohaveextensiveknowledgein
anyoftheseareas.Ourfirstchapterlaysthebasicbackground
formostofwhatisrequiredtounderstandtherestofthebook.
Wealsomakeextensiveuseofreferencesforanyonewho
wouldliketogetmoredetailsontopicswediscuss.
SincemanyhoneypotsolutionsaredesignedtorunonLinuxor
BSDvariants,itishelpfultohavesomebasicunderstandingof
theseoperatingsystems.However,evenifyouareanavid
Windowsuser,youcaninstallavirtualmachinetoexperiment
withtheseoperatingsystems.Doingsobyitselfteachesmany
oftheprinciplesthatunderlyhoneypottechnologies.Thatway,
youcanbetterunderstandthetoolsweintroduceandalso
experimentwiththemyourself.Weoftengivestep-by-step

guidanceonhowtoinstallandconfigureaspecificsolutionand
pointyoutofurtherreferences.Soevenwithonlysome
background,youshouldbeabletolearnmoreaboutthe
fascinatingtopicofvirtualhoneypots.


Acknowledgments
Wecouldnothavewrittenthisbookonourown.Whilewriting
thisbook,weborrowedfromtheknowledgeofmany
researchersandpractitionerswhohavemovedhoneypots
forwardovertheyears.However,besidesconcretetechnical
help,manypeoplehelpedusalsowithotheraspectsthatgo
intowritingabook.Weowe
ThankstoThérèsePasquesiforreviewingandediting
chapters,cookingfantasticItalianfood,andherpatience,
especiallywhenwritingthebooktookentireweekends.
ThankstoouranonymousreviewersandStefanKelm,Jose
Nazario,CyrusPeikari,DugSong,LanceSpitzner,and
LennyZeltserfortheirhelpfulfeedbackandconstructive
criticism.
SpecialthankstoLanceSpitznerfororganizingthe
HoneynetProject,sincetheauthorswouldnothaveknown
eachotherbutforthecontactsprovidedbyLance.
Moreover,thisbookwouldnothavebeenpossiblewithout
LaurentOudot.
Manythankstooureditor,JessicaGoldstein,andher
assistant,RomnyFrench.Moreover,KristinWeinberger
helpedusoutwhenJessicawasonmaternityleave.Without
thepeoplefromAddison-Wesley,thisbookwouldnothave
beenpossible.WewouldalsoliketothankMaryFranz,who

gotusinvolvedinthisprojecttobeginwith.
Withoutyourhelp,thisbookwouldnothavebeenpossible.
— NielsProvosandThorsten
Holz


MountainView,California



May2007





AbouttheAuthors
NielsProvosreceivedaPh.D.fromtheUniversityofMichigan
in2003,wherehestudiedexperimentalandtheoreticalaspects
ofcomputerandnetworksecurity.HeisoneoftheOpenSSH
creatorsandknownforhissecurityworkonOpenBSD.He
developedHoneyd,apopularopensourcehoneypotplatform;
SpyBye,aclienthoneypotthathelpswebmasterstodetect
malwareontheirwebpages;andmanyothertoolssuchas
SystraceandStegdetect.HeisamemberoftheHoneynet
Projectandanactivecontributortoopensourceprojects.
ProvosiscurrentlyemployedasseniorstaffengineeratGoogle,
Inc.
ThorstenHolzisaPh.D.studentattheLaboratoryfor
DependableDistributedSystemsattheUniversityofMannheim,

Germany.HeisoneofthefoundersoftheGermanHoneynet
ProjectandamemberoftheSteeringCommitteeofthe
HoneynetResearchAlliance.Hisresearchinterestsincludethe
practicalaspectsofsecuresystems,butheisalsointerestedin
moretheoreticalconsiderationsofdependablesystems.
Currently,hisworkconcentratesonbots/botnets,client
honeypots,andmalwareingeneral.Heregularlyblogsat
.