JavaOne 2013 - BOF2924 Niels van Eijck Principal Consultant, NCIM

n.van.eijck@ncim.nl @nvaneijck

2

Java Developer Principal Consultant @NCIM Currently @Dutch National Cyber Security

Centre (NCSC-NL)

Introduction HoneySpider Network Service Development Demo Summary

3

Every piece of software contains vulnerabilities! Browsers (IE, Firefox, Chrome, Opera, WGET) Flash, Acrobat Reader, etc.

4

5

Benign content

Benign content

HoneySpider Network

Early warning system Scan periodically Trusted websites

Benign content

6

Malicious content

Benign content

Benign content

HoneySpider Network

Early warning system Scan periodically Trusted websites Detect malicious content Report

7

8

9

Intelligence gathering

Inject exploit in selected sites

Drop malware on vulnerable

systems

Initiate malicious activity

10

Images courtesy of chanpipat / FreeDigitalPhotos.net

1

2

3

4

Major news sites NU.nl Telegraaf.nl

Government sites whitehouse.gov dol.gov

Political related sites rsf.org

11

12 Source: threatpost.com / netsecurity.org

February 2013 Clients exploited via Java6 vulnerability Apple, Facebook & Twitter compromised

13

14 Source: zdnet.com / foxit.com

August 2013 First noticed at conrad.nl Visitors are redirected to site serving

Blackhole exploit kit (PDF & Java) Turns out conrad.nl is not the only one

15

Hosting provider targeted by phishing email PDF containing malware

One client got compromised Credentials obtained for DNS registrar

DNS Nameserver entry changed

Legitimate action…

16

17

All this shows a need to invest in early detection and analysis of attacks on clients

Meet HoneySpiderNetwork 2 (HSN)

18

Introduction HoneySpider Network Service Development Demo Summary

19

Started as joint venture

CERT-Polska

Dutch National Cyber Security Centre (NCSC-NL)

Work on version 2 started in 2011

Code released under GPL license in january 2013

20

Early warning system Detects attacks on client applications

Webpages Files

Supports variety of services & analyzers Flexible configuration Scalable Open architecture

21

Operational

22

HoneySpider Network

Services Services

Services

Services Services

Jobs

Reporting

Report DB

Web interface

CLI

export

Communication RabbitMQ (AMQP) Google Protocol Buffers

Workflows Activiti Git

Storage Apache CouchDB JSON documents

Programming languages Java Python C++

23

24

HSN Workflow Language (HWL) XML

25

Process

• File with URLs

Each URL

• Service “A”

• Service “B”

Reporter

• Aggregate results from services

• Store in database

Input / Output

26

Feeder (file / url)

Reporter

Web Clients

HtmlUnit Thug

Honeypots

Capture HPC Cuckoo

Scanners

Antivirus Shellcode

Analyzers

JavaScript PDF

MS Office Flash

High interaction honeypot

Vulnerable system visits website

Activity is recorded

Uses virtualization software Analysis plugins Reporting plugins

27

Django framework Supports scheduling of jobs Basic statistics RSS feeds of malicious results

28

Introduction HoneySpider Network Service Development Demo Summary

29

package nl.ncim.hsn2.service;

import ...;

public class DemoService implements org.apache.commons.daemon.Daemon {

private GenericService service = null;

@Override

public void init(DaemonContext context) throws DaemonInitException, Exception {

this.service = new GenericService(new DemoServiceTaskFactory(), ...);

}

@Override

public void start() throws Exception {

...

service.run();

...

}

}

30

package nl.ncim.hsn2.service;

import ...;

public class DemoService implements org.apache.commons.daemon.Daemon {

private GenericService service = null;

@Override

public void init(DaemonContext context) throws DaemonInitException, Exception {

this.service = new GenericService(new DemoServiceTaskFactory(), ...);

}

@Override

public void start() throws Exception {

...

service.run();

...

}

}

31

package nl.ncim.hsn2.service;

import ...;

public class DemoServiceTaskFactory implements TaskFactory {

@Override

public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data)

throws ParameterException {

return new DemoServiceTask(jobContext, data);

}

}

32

package nl.ncim.hsn2.service;

import ...;

public class DemoServiceTaskFactory implements TaskFactory {

@Override

public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data)

throws ParameterException {

return new DemoServiceTask(jobContext, data);

}

}

33

package nl.ncim.hsn2.service;

import ...;

public class DemoServiceTaskFactory implements TaskFactory {

@Override

public Task newTask(TaskContext jobContext, ParametersWrapper parameters, ObjectDataWrapper data)

throws ParameterException {

return new DemoServiceTask(jobContext, data);

}

}

34

package nl.ncim.hsn2.service;

import ...

/**

* The task class for the HSN2 Demo Service. This is the place where the actual work is being done.

*/

public class DemoServiceTask implements Task {

private TaskContext jobContext;

private String url;

public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {

this.jobContext = jobContext;

this.url = data.getString("url_original");

}

@Override

public void process() throws ParameterException, ResourceException, StorageException {

jobContext.addAttribute("statement", "JavaOne Rocks!");

}

}

35

package nl.ncim.hsn2.service;

import ...

/**

* The task class for the HSN2 Demo Service. This is the place where the actual work is being done.

*/

public class DemoServiceTask implements Task {

private TaskContext jobContext;

private String url;

public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {

this.jobContext = jobContext;

this.url = data.getString("url_original");

}

@Override

public void process() throws ParameterException, ResourceException, StorageException {

jobContext.addAttribute("statement", "JavaOne Rocks!");

}

}

36

package nl.ncim.hsn2.service;

import ...

/**

* The task class for the HSN2 Demo Service. This is the place where the actual work is being done.

*/

public class DemoServiceTask implements Task {

private TaskContext jobContext;

private String url;

public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {

this.jobContext = jobContext;

this.url = data.getString("url_original");

}

@Override

public void process() throws ParameterException, ResourceException, StorageException {

jobContext.addAttribute("statement", "JavaOne Rocks!");

}

}

37

{

"type":"analysis",

"job":<<@|hsn-job-id>>,

"service":"demo-service",

"node":<<@|hsn-node-ref>>,

"classification":"benign",

"details":

{

"structure":"list",

"name":"Analysis details of Demo Service",

"value":

[

{

"structure":"text",

"name":"Statement",

"value":<<statement>>

},

]

}

}

38

Introduction HoneySpider Network Service Development Demo Summary

39

Java SE 7 JRE Exploit (CVE-2012-4681)

Vulnerabilities in the JRE allow attackers to escape from the sandbox environment

Fixed in Java SE 7 JRE update 7 currently at 7u40...

40

41

HoneySpider Network

Cuckoo Service

VM with Metasploit

Cuckoo

42

HoneySpider Network

Cuckoo Service

Job

VM with Metasploit

Cuckoo

43

HoneySpider Network

Cuckoo Service

Job

VM with Metasploit

Cuckoo Windows XP

virtual machine

Windows XP virtual machine

44

HoneySpider Network

Cuckoo Service

Job

VM with Metasploit

Cuckoo

45

HoneySpider Network

Cuckoo Service

Report

VM with Metasploit

Cuckoo

Calc.exe aka Hello, world! A hacker would execute more serious stuff

> format C:

botnet client

keylogger

46

47

Introduction HoneySpider Network Service Development Demo Summary

48

HoneySpiderNetwork; a Java based system to hunt down malicious websites

Visit www.honeyspider.net Feel free to try it

Appliance (virtualbox) Installation Guide Github (https://github.com/CERT-Polska/hsn2-bundle)

Call for developers!

49

50

Thank you for your attention!

n.van.eijck@ncim.nl @nvaneijck