Researcher sets up honeypot to counterattack, identifies attackers

I believe that most infosec professionals have, at one time or other, wished they could fight back when some of the resources they are tasked with protecting came under attack by hackers. It’s not a question of whether it’s possible or not, but of being legally forbidden to in the great majority of cases.

Security researcher Alexey Sintsov, who is also a co-founder the first Defcon community group in Russia, has effectively protected himself from legal repercussions by making attackers pick up the malware themselves from a clearly forbidden zone (protected by a password / invite code) of the honeypot he set up on the group’s website.

By providing the honeypot with a series of obvious entry points and some that were less conspicuous, he managed to discern whether the attackers were automated (bots), script kiddies, white hat researchers, or highly motivated hackers.

For the last two groups, he made it obvious that the site can be successfully breached by SQL injection. But while white hat hackers would stop after confirming the existence of the bug, motivated hackers proceeded to exploit it, extract the password, and use it to authenticate themselves and gain access to the forbidden zone of the site.

When an SQLi attack was detected by a specially crafted script, it would throw a Java applet named “GUI for member zona. Welcome” at the attacker. If the download was approved by the attacker, a backdoor on the attacker’s computer would be installed.

In order not to break laws, the backdoor would avoid collecting personal or any other type of information except system information, and it would then send it to a remote server controlled by the researcher. For the same reason, the backdoor had no remote control capabilities.

This type of counterattack (or “reverse penetration” as Sintsov calls it) was the only one for which the honeypot was equipped when the experiment was launched in May 2011. In January 2012 he added two exploits for Mail.ru and Yandex.ru – two of the most popular email services in Russia – which allowed the honeypot to harvest the attackers’ mail address if they authenticated through web interfaces and the session was active at the time of the attack.

He ended the experiment in July 2012 by “deactivating” the web page. In the time period during which it was available, 484 unique SQL attacks to bypass authentication by “invite code” were mounted, and in 68 instances the “reverse penetration” attack worked.

Most of the detected SQL injection attacks seemed mounted by white hats – some of the registered IPs belonged to a Russian information security company, the Russian Ministry of Defense, and an Intelligence Agency of one of the countries of the Commonwealth.

He later discovered that in this last case, the workstation has been likely compromised and used as a cover by a hacker that afterwards repeated the attack from another workstation from the same country.

In addition to this, the “evil” Java applet was downloaded on a virtual host of an antivirus company, as well as the Domain network of one of the largest Russian IT security companies.

But even though the experiment was successful, the implementation of such counterattack measures is tricky in the real world due to obvious ethical and legal issues.

“I think that these methods can be used for protection at the state level and, probably, already exist these days,” Sintsov pointed out. “However, using these techniques for the commercial/ enterprise sector can be difficult because of legal issues of the methods of defense.”

The results of the experiment were made public earlier this month at Black Hat Europe.

Don't miss