Using Honeypots to Analyze Bots and Botnets

Abstract

In this Master thesis we will perform honeypot experiments where we allow malicious users access to systems and analyze their behaviour. Our focus will be on botnets, and how attackers progress to infect systems and add them to their botnet. Our experiments will include both high-interaction honeypots where we let attackers manually access our system, and low interaction-honeypots where we receive automated malware. The high-interaction honeypots are normal Linux distributions accessing the internet through a Honeywall that captures and controls the data flow, while the low-interaction honeypots are running the Nepenthes honeypot. Nepenthes acts by passively emulating known vulnerabilities and downloading the exploiting malware. The honeypots have been connected to both the ITEA and UNINETT networks at NTNU. The network traffic filtering on the IP addresses we have received, has been removed in order to capture more information. Installing the honeypots is a rather complicated matter, and has been described with regard to setup and configuration on both the high and low interaction honeypots. Data that is captures has been thoroughly analyzed with regard to both intent and origin. The results from the high-interaction honeypots focus on methods and techniques that the attackers are using. The low-interaction honeypot data comes from automated sources, and is primary used for code and execution analysis. By doing this, we will gain a higher degree of understanding of the botnet phenomenon, and why they are so popular amongst blackhats. During the experiments we have captures six attacks toward the high-interaction honeypots which have all been analyzed. The low-interaction honeypot, Nepenthes, has captured 56 unique malware samples and of those 14 have been analysed. In addition there has been a thorough analysis of the Rbot.