A Honeypot that Fights Back

Monday, April 1, 2013 @ 01:04 PM gHale

A Russian researcher built an aggressive honeypot to test the ability to hack back at attackers.

Alexey Sintsov, a security researcher and co-founder of DefCon Russia, ran an experimental homegrown “aggressive” honeypot from the second quarter of 2011 through the third quarter of 2012 on the DefCon Russia website he manages in anticipation of the site being a target of attackers.

Honeypots Show ICS’ Under Attack
243 Days to Discover Attack
Security Report: Use more Honeypots
Honeypot Now SQL Injection Capable

Sintsov said not only was it easy to attract attackers, it was simple to gather their network adapter settings, trace routes, and login names.

The honeypot which is no longer active installed a backdoor agent via Java applet and exploited JSONP hijacking vulnerabilities in two email services.

The trap was specifically set for SQL injection attacks. Sintsov used two basic lures for potential attackers on the site: A PHP-based honeypot server that included a social engineering element and an automated attack that grabbed the attackers’ email addresses if he or she used two Russian email services, mail.ru and yandex.ru, exploiting now-patched vulnerabilities in those services.

The PHP portion included a field for “members” to enter their “secret code” to enter the “private zone,” he said. “So it’s a good idea to try a SQL injection attack” there, he said of the lure.

“My script had [a] few checks for some patterns, and when a SQL injection attempt was detected, the script [threw the] Java applet, ‘GUI for member zona. Welcome,'” he said. The Java applet then installed a backdoor on the attacker’s Windows machine, he said.

While it is possible to grab the attackers’ internal IP addresses and resources, scan for his files, BSSIDs, and make audio and video recordings from his laptop, among other things with the attacking honeypot, Sintsov didn’t go that far because that would be over the top in the information security industry, he says.

Aggressive and offensive honeypots are a controversial concept and the legal ramifications are tricky. Sintsov, who presented his honeypot experiment findings at the March Black Hat Europe in Amsterdam, said the legal issues are up for interpretation. The Java applet and email grabber were in a “private zone” on the website, for example, so why would the honeypot operator be at fault if someone hacked into that area and ran something like a SQL injection attack, he said.

Sintsov said running an aggressive honeypot that attacks back at attackers would be difficult for a typical enterprise to justify. “But if we can exclude law questions, I think it is a good thing to try for the oil sector or smart grid,” he said.

Click here to read Sintsov’s honeypot paper.

Leave a Reply

You must be logged in to post a comment.