A Brief Introduction to Qebek

What is Qebek?

Qebek is the abbreviation for  QEMU based Sebek. As Sebek, it is data capture tool for high interaction honeypot.
Notice: Current version only supports Windows based honeypots.

What sort of information is Qebek capable of monitoring?

At current stage, it captures the same information as original Sebek: console keystrokes, process creation and network activities.

Why Qebek?

The main reason for developing Qebek is because Sebek lacks invisibility. There are several ways to detect, subvert and disable Sebek client. By moving the monitoring from OS kernel to underground virtualization layer, it would be much more difficult for attackers to detect whether they're being monitored. (They may be able to detect they are inside a virtual machine, but to tell whether the virtual machine is being monitored is much harder.)

Why QEMU? Why not VMware, Xen, VirtualBox or KVM?

First, QEMU is a emulator, so it has more control over the virtual machine.

Second, I'm much interested in collaborating Sebek with  Argos, a dynamic taint system, to provide better correlation and less noise.

VMware is proprietary, and its VMSafe interface only opens to its partner companies. The performance of KVM and VirtualBox is better, as they can leverage the new virtualization mechanism from modern CPU. But this also makes them more difficult to modify. The difficulty of modifying Xen is similar to QEMU, but the setup process is really painful.

However, since the framework of Qebek is very similar to  Ether, it should be easy to port the monitoring components to Ether.

How does Qebek work?

Qebek monitors the whole system activities, i.e. the whole honeypot OS has to run inside QEMU.

After the OS booted, Qebek hooks the system call functions we are interested in by adding a break point at the beginning of the function. Once the function is called, the monitoring components gathers the required information by interpreting raw memory data. This information is then output to stdout like sebekd does, which means you can use the same tools like sbk_dialog.pl, sebekd.pl.

A Quick Start Guide

Qebek is still under development, but if you'd like to have a try, here is a quick start guide.

  1. Check out the latest version from svn.
    svn co https://projects.honeynet.org/svn/sebek/virtualization/qebek/trunk/ qebek
    
  1. Configure and make. You will need to install the basic build tools and GCC 3.4.
    cd qebek
    chmod +x configure
    ./configure
    make
    
  1. If you'd like to install, make install as an admin; if not, the executable is under i386-softmmu.
    sudo make install
    
  1. Setup up Windows honeypot. Use  Google if you don't have any experience of using QEMU, there are a lot of excellent tutorials on Internet. If your computer supports Intel VT or AMD-v, use  KVM to setup the honeypot, this will be much much more faster.
  1. Use Qebek to start the honeypot, and redirect the output to sbk_diag.pl or sebekd.pl from sebekd.
    qebek -localtime -m 512 -hda winxp.img -snapshot \
        -net nic,vlan=0.macaddr=00:00:00:00:00:00,model=pcnet \
        -net tap,vlan=0,ifname=tap0 \
        -winxp -sbk_ip 192.168.0.1 | sbk_diag.pl
    

Here is some explanation about the options: -snapshot write new data to a temporary disk so the original disk will not be damaged; specify a real MAC address for the NIC so as to bypass some detection program, PCNet model works better for me, these two options are not necessary; -winxp tells Qebek the guest OS is Windows XP, so it will use the right offset to read certain OS related structures; -sbk_ip specifies the guest OS' ip address, to avoid ugly 0.0.0.0 or 127.0.0.1 source ip.

Currently only Windows XP has been tested, supports for other version of Windows will be added soon.

How to add new monitoring component?

Coming soon.