From Russia with Love - Behind the Trend Micro-NBC News Honeypots

Source:  From Russia with Love - Behind the Trend Micro-NBC News Honeypots


Kyle Wilhoit - Forward-Looking Threat Research Team


Introduction


I was recently invited by NBC News to take part in an experiment with their chief foreign
correspondent, Richard Engel, that took place in Moscow, Russia. For this experiment, we
created a honeypot environment to emulate a user currently in Russia for the Sochi Olympics
performing basic tasks such as browsing the Internet, checking email, and sending and receiving instant messages. The experiment primarily aimed to gauge how quickly certain devices can be compromised while their user engages in normal online activities. We set up three devices—a Macbook Air®, a Lenovo ThinkPad® running Windows® 7, and a Samsung Galaxy S Android™ smartphone. While attacks identical to the ones observed can and do originate in nearly every country in the world, attacks originating from and/or tied to Russia may be more prevalent. This research paper covers in greater technical detail the environment setup and what happened to the above mentioned devices.


Environment Setup


The first thing we had to consider was how the environment was going to be configured. NBC News wanted the experiment to be performed on new gadgets with no security or software updates. The decision to not put basic precautions in place was made because we were supposed to be regular users in Russia for the Sochi Olympics and wanted to understand the threats attendees who do not take proper precautions faced. We did, however, need to install standard software that were considered “lifestyle” or “productivity” applications such as Microsoft™ Office®, Adobe® Flash®, Java™, and others that aid in viewing websites or processing documents. We chose Microsoft Office 2007 because of its perceived user base. I then downloaded the most recent version of Flash and Java since they were the most readily available on their vendors’ websites. We then needed to consider how to collect network traffic. Without having this ability, we would not be able to differentiate malicious from normal network traffic. To solve the problem, we tethered our own Wi-Fi access point off the physical connection within the hotel room. We then used a network tap to gain direct access to the traffic coming from our devices to the outside world. To keep the environment as clean as possible, we installed logging and monitoring tools on a separate Linux box and a virtual machine. We used these to capture and analyze network traffic. We used a combination of Snort (custom and standard rules), BroIDS, tcpdump, ntop, and internal Trend Micro tools to help identify known command-and-control (C&C) servers and malicious binaries that can affect the devices.


In addition to setting up a logging solution, we also connected an email account emulating Richard’s real inbox to the phone. The email address we used resided within the NBC News domain and was very similar to Richard’s true email address to help convince any would-be attacker it was the real thing. We used the same email account on each device.