The number of malicious servers in the .nz domain has increased dramatically, according to honeypot experiments conducted at Victoria University.
“When we started in April last year we found 51 malicious servers; there are now in the order of 90,” says VUW senior lecturer Dr Peter Komisarczuk.
There is a “core set” of malicious sites that have persisted throughout the period of the research, he says. Others have been fixed, but these have been outnumbered by newly compromised servers.
One of the most worrying examples was a spoof version of the traffic analysis tool Google Analytics, coming from a site in the US, that had been innocently downloaded and installed, mistaken for the genuine article.
The research team did not disclose details to the owners of affected sites, because they wanted to explore long-term trends. The Centre for Critical Infrastructure Protection and the Australian Computer Emergency Response Team (AusCERT) were, however, kept informed. The decision not to disclose the exploits was also discussed with InternetNZ, but not with the university’s ethics team, which checked other aspects of the project.
“It’s not our job to be the policeman of the internet,” Komisarczuk says, defending the project’s stance.
It is for CCIP or AusCERT to take further action if they think that is warranted, he says.
The sites concerned are not popular ones, he adds; nor were there any findings that indicated previously unknown issues with operating systems or browser software.
“If we’d seen a large issue, we would have been more forthcoming.”
Many of the problems are probably due to inexperienced system and network administrators, Komisarczuk says. Education and publicity for diagnostic tools are the most evident remedies. Large organisations such as banks have such problems well under control, he adds.
“It’s the smaller guys that have the issues.”
The .nz space is “relatively benign” compared to Australian, US or UK domains, he says. The team conducted a small-scale comparative trial and is part of the international Honeynet project.
A “honeypot” consists of a virtual machine with XP and an Internet Explorer 6 browser, with a set of applications to detect anomalous behaviour such as attempted modification of the registry.
This is set up to contact “hundreds of thousands of URLs” and to pass on information concerning any apparent bad behaviour for further investigation.
Current research includes an attempt to apply artificial intelligence to analyse the incoming data and deduce what the exploit is attempting to do; a grid computing implementation allowing a large “federated” set of honeypots to be set up and controlled together and an investigation of wireless and mobile exploits.
However, the extended analysis the university’s Mathematics and Computer Science department would like to do is impractical, simply owing to a lack of human resources, Komisarczuk says.
This comes down to a simple question of research dollars against salaries offered in the outside world.
“We can’t keep some of the people we’d like to keep,” he says.