A common exploitation technique is using remote file inclusion. Some configurations of PHP allow the executing program to include files that reside on other web or ftp servers. When a particular program doesn't take care to check its input before it makes an include($mylibrary); statement, the attacker can often execute code of their choosing on the webserver. Alternatively, part of PHPHoP is a PHP script which attempts to analyse and download payloads as a direct response to the malicious request. The former may prove more useful as it designed to run on production servers without interfering with their operation. There are many other flaws in web applications however, such as SQL injection, and direct command injection as in a commonly exploited AWStats bug.

Some honeypots are better at catching particular attacks than others, and ideally a mixture of honeypots would provide the best insight into current attacks. For example, the catch-all ErrorDocument handler used in part of PHPHoP will not trap POST data properly, as Apache doesn't pass this information on to ErrorDocument handlers. To do this you either need a custom-written webserver, or to create PHP scripts with the exact names of files you are looking to emulate. The latter might be something like an attempt to exploit PHPXMLRPC exploit, by a POST to /xmlsrv/xmlrpc.php. More detail on some of the tools and methods for monitoring web application attacks can be found in Know Your Enemy: Web Application Threats. The paper 'Web Server Botnets and Hosting Farms as Attack Platforms' (pdf), first published in Virus Bulletin, February 2007, also goes into detail about web application attacks, and subsequent use of compromised hosts. It also describes an attempt to measure, share information and counteract this threat called The Web Honeynet Task Force.

Recently, a more sophisticated method of building web application honeypots is described in Michael Mueter's MSc thesis. This toolkit allows arbitrary PHP applications to be turned into high-interaction honeypots and has been tested with software such as PHPMyAdmin, PHP-Nuke and PHPBB.

Potential issues with honeypots

Secrecy is paramount when deploying a honeypot or honeynet. If everyone knows it is a trap, no-one will attempt to attack it at all, except perhaps automated tools such as worms. Some honeypots, especially low interaction ones, may be easily identified as honeypots by an attacker due to their emulation of services. Any emulation of a complex system will always differ from the real thing; for example, there are a variety of ways for a program to check if it is running within a virtual machine and malware is increasingly using these techniques to hamper analysis. There will always be an arms race between those trying to develop ways of detecting honeypots, and those who are trying to improve honeypots so they are harder to fingerprint.

Client-side attack frameworks exist, such as MPack, that contain automated mechanisms that make detection and analysis of malicious web servers with client honeypots more difficult (see KYE: Behind the Scenes of Malicious Web Servers for details). For example, client-side attacks might not trigger if the client honeypot accesses a malicious web server from a specific network (for example, from our research lab) and/or client-side attacks might only trigger once. Upon repeated interaction, the malicious web server might not launch client-side attacks anymore making tracking and analysis of the malicious server and its attack difficult.

Another concern is that if a high interaction honeypot is compromised, the attacker may attempt to use this as a stepping stone to damage or take over other systems. Ideally the honeypot should use several mechanisms to prevent this, and the operator should pay close attention so no harm comes to innocent third-parties. In some jurisdictions, legal liability for the actions of users of the honeypot may be a concern, as may local electronic interception laws.

The Future

A large amount of data about attackers and their methods has been gathered by the use of honeypots of various sorts over many years, and we expect to see this trend continuing. Honeypots are now being used increasingly in mainstream applications and an ever increasing array of tools are available to the amateur and professional. In particular, we expect to see significant developments in the field of client honeypots this year, as Internet Explorer flaws continue to remain one of the most critical Windows vulnerabilities according to the current SANS Top 20 and IPv6 is slowly but inevitably being adopted. Similarly web applications are the most critical of the cross-platform vulnerabilities in the same list. We may also see newer applications, such as VoIP and SCADA honeypots starting to become widespread (although a few groups are already deploying these) as abuse of these protocols becomes more important to the community.

As honeypots are gaining importance to detect and analyze attacks, it is suspected that the attackers will develop techniques to identify and avoid honeypots. The MPack web exploitation framework already is going down this route. As these techniques become more prevalent, Honeynet technology is likely to respond to make such detection more difficult. Distributed honeynets and honeynet implementations that are not based on virtualization technology, which is another vector to detect honeypots, a1re likely to gain importance. The arms race between attackers and security researchers is continuing, but at this point in time, honeypots still provide us with invaluable data about the attackers and attacks of the real world.

References

[Spitzner02] Spitzner, L. Honeypots: Tracking Hackers, Addison-Wesley, Boston, 2002.

Further Reading

For questions specifically about honeypots, the SecurityFocus.com honeypots mailing list "is dedicated to the research, development, and understanding of honeypots and honeypot related technologies."

Niels Provos and Thorsten Holz' new book Virtual Honeypots: From Botnet Tracking to Intrusion Detection gives an in-depth account of all kinds of honeypots.