Internet Malicious Miscreant
-
Upload
najmizabidi -
Category
Documents
-
view
999 -
download
1
description
Transcript of Internet Malicious Miscreant
Agenda I
1 Brief background
2 Internet Malicious Miscreant
3 ThreatsProtecting peopleProtecting moneyProtecting integrity
4 Attack vectors
5 Type of attacks
6 Prevention
7 Domain Name System
8 MalwareIntroDeception
9 Attack Containment/Prevention
Agenda II
HoneypottingMalware analysisEncryption in Malware
10 LibemuExample of libemu in action
11 HoneypotsSSH-based honeypotMisc protocol based honeypot-AmunMisc protocol based honeypot-HoneytrapMisc protocol based honeypot-MwcollectMisc protocol based honeypot-NepenthesMisc protocol based honeypot-Dionaea
12 Special section - DionaeaSQLite
Agenda III
13 VisualizationGnuplotAfterglow+GraphvizDionaea in action
14 Interpreting outputsSome statistics of incoming IPs
Brief background
A full time academic staff of International Islamic UniversityMalaysia (IIUM/UIA)
Full time student working on his research degree at UniversitiTeknologi Malaysia, Skudai, Johor Bahru
Internet Malicious Miscreant
Focus today
Understand the threats
Focus on malicious creations on the Net
Look at several attack vectors
Containment, prevention workarounds
Threats
Threats and things to protect
Protecting:
You, your family and people who’re important around you
Your belonging (money, for example)
Your integrity (come to this later)
Threats
Threats and things to protect
Protecting:
You, your family and people who’re important around you
Your belonging (money, for example)
Your integrity (come to this later)
Threats
Threats and things to protect
Protecting:
You, your family and people who’re important around you
Your belonging (money, for example)
Your integrity (come to this later)
Threats
Protecting people
Protecting people
Your data, your pictures might be super sensitive
Online social network is very enjoyable, but something thatyou have to worry as well
Default settings are the least to be trusted, take some time tofine tune them
For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacyIn some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead
Threats
Protecting people
Protecting people
Your data, your pictures might be super sensitive
Online social network is very enjoyable, but something thatyou have to worry as well
Default settings are the least to be trusted, take some time tofine tune them
For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacyIn some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead
Threats
Protecting people
Protecting people
Your data, your pictures might be super sensitive
Online social network is very enjoyable, but something thatyou have to worry as well
Default settings are the least to be trusted, take some time tofine tune them
For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacyIn some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead
Threats
Protecting people
Protecting people
Your data, your pictures might be super sensitive
Online social network is very enjoyable, but something thatyou have to worry as well
Default settings are the least to be trusted, take some time tofine tune them
For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacy
In some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead
Threats
Protecting people
Protecting people
Your data, your pictures might be super sensitive
Online social network is very enjoyable, but something thatyou have to worry as well
Default settings are the least to be trusted, take some time tofine tune them
For example, Company X who has the most popular onlinesocial network on earth doesn’t seems bother about yourprivacyIn some sense, it is correct, afterall, why do you have to share ifyou want them to be private, keep them in your storage instead
Threats
Protecting money
Example of stolen credit cards for sale
Threats
Protecting money
Threats
Protecting integrity
Beware of webcam, it may be activated without you realized
Talking about identity theft, where it may affect the previouspoints before(money for e.g)
Attack vectors
Example
People side
Vulnerable people
Needs frequent knowl-edge/advice/tazkirah
Prey/victim in the sametime (people who attackand the victim)
Example
Machine side
Vulnerable host
Needs frequentupdates/patches
Prey/victim in the sametime(machine that wascompromised, and laterbecome stepstone toattack)
Attack vectors
Example
People side
Vulnerable people
Needs frequent knowl-edge/advice/tazkirah
Prey/victim in the sametime (people who attackand the victim)
Example
Machine side
Vulnerable host
Needs frequentupdates/patches
Prey/victim in the sametime(machine that wascompromised, and laterbecome stepstone toattack)
Attack vectors
Example
People side
Vulnerable people
Needs frequent knowl-edge/advice/tazkirah
Prey/victim in the sametime (people who attackand the victim)
Example
Machine side
Vulnerable host
Needs frequentupdates/patches
Prey/victim in the sametime(machine that wascompromised, and laterbecome stepstone toattack)
Type of attacks
Methods of attack
The following are my suggestion on the type of attacks(althoughdisputable): Active attack
Defacement
DDOS
XSS
Type of attacks
Methods of attack
The following are my suggestion on the type of attacks(althoughdisputable): Active attack
Defacement
DDOS
XSS
Type of attacks
Methods of attack
The following are my suggestion on the type of attacks(althoughdisputable): Active attack
Defacement
DDOS
XSS
Type of attacks
Methods of attack
Passive attack
Worms - although vague, depends on the several issues -network connections etc.
Phishing
PDF exploits
Anything drive-by-download type
Type of attacks
Methods of attack
Passive attack
Worms - although vague, depends on the several issues -network connections etc.
Phishing
PDF exploits
Anything drive-by-download type
Type of attacks
Methods of attack
Passive attack
Worms - although vague, depends on the several issues -network connections etc.
Phishing
PDF exploits
Anything drive-by-download type
Type of attacks
Methods of attack
Passive attack
Worms - although vague, depends on the several issues -network connections etc.
Phishing
PDF exploits
Anything drive-by-download type
Prevention
Sucess story of underground economics containment
Univ of California Santa Barbara(UCSB) taking over Torpig botnetaka botnet infiltration
Microsoft won on Waledacshutdown in court
Spain police arrested three forMariposa botnet
Figure 1: Fringe Season 2 Ep 23
Domain Name System
Threats
DNS Poisoning
Happens in “cache” server
Attacks certain population(say if the cache nameserver for Organization Xwas attacked, it onlyhappens there)
Deceiving users to say,expose online banking pinsor passwords
Fast-flux network
Victim preyed tofollow/click the bait URL
Able to decieve everyone onthe Internet
Serving malware, spam,extreme p0rn, onbulletproof webhosting
Characteristics: one domainmap to a lot of IPs, withshort Time to Live (TTL)
Domain Name System
Threats
DNS Poisoning
Happens in “cache” server
Attacks certain population(say if the cache nameserver for Organization Xwas attacked, it onlyhappens there)
Deceiving users to say,expose online banking pinsor passwords
Fast-flux network
Victim preyed tofollow/click the bait URL
Able to decieve everyone onthe Internet
Serving malware, spam,extreme p0rn, onbulletproof webhosting
Characteristics: one domainmap to a lot of IPs, withshort Time to Live (TTL)
Domain Name System
Threats
DNS Poisoning
Happens in “cache” server
Attacks certain population(say if the cache nameserver for Organization Xwas attacked, it onlyhappens there)
Deceiving users to say,expose online banking pinsor passwords
Fast-flux network
Victim preyed tofollow/click the bait URL
Able to decieve everyone onthe Internet
Serving malware, spam,extreme p0rn, onbulletproof webhosting
Characteristics: one domainmap to a lot of IPs, withshort Time to Live (TTL)
Domain Name System
Threats
DNS Poisoning
Happens in “cache” server
Attacks certain population(say if the cache nameserver for Organization Xwas attacked, it onlyhappens there)
Deceiving users to say,expose online banking pinsor passwords
Fast-flux network
Victim preyed tofollow/click the bait URL
Able to decieve everyone onthe Internet
Serving malware, spam,extreme p0rn, onbulletproof webhosting
Characteristics: one domainmap to a lot of IPs, withshort Time to Live (TTL)
Domain Name System
DNS Poisoning
Picture taken from http://www.technicalinfo.net/papers/Pharming2.html
Domain Name System
Fast-flux network
Pix taken from Honeynet’s website
Domain Name System
Fast-flux animation
Source: http://www.f-secure.com/weblog/archives/fastflux.gif
Play in external player
Domain Name System
Source:Fortinet
Domain Name System
Source:Fortinet
Malware
Intro
Malware
Malware needs to be collected for analysis
In order to collect, it has to be recognized first
To recognize a malware, it must has a pattern
Do you watch Fringe TV Series, where Agent Dunham and theBishops dealing with the pattern.
Remember malware, is a software, so how to differentiate abenign and a malicious one?
Malware
Intro
Malware
Malware needs to be collected for analysis
In order to collect, it has to be recognized first
To recognize a malware, it must has a pattern
Do you watch Fringe TV Series, where Agent Dunham and theBishops dealing with the pattern.
Remember malware, is a software, so how to differentiate abenign and a malicious one?
Malware
Intro
Malware
Malware needs to be collected for analysis
In order to collect, it has to be recognized first
To recognize a malware, it must has a pattern
Do you watch Fringe TV Series, where Agent Dunham and theBishops dealing with the pattern.
Remember malware, is a software, so how to differentiate abenign and a malicious one?
Malware
Intro
Malware
Malware needs to be collected for analysis
In order to collect, it has to be recognized first
To recognize a malware, it must has a pattern
Do you watch Fringe TV Series, where Agent Dunham and theBishops dealing with the pattern.
Remember malware, is a software, so how to differentiate abenign and a malicious one?
Malware
Intro
Malware
Malware needs to be collected for analysis
In order to collect, it has to be recognized first
To recognize a malware, it must has a pattern
Do you watch Fringe TV Series, where Agent Dunham and theBishops dealing with the pattern.
Remember malware, is a software, so how to differentiate abenign and a malicious one?
Malware
Deception
The way the bad guys doing their job. . .
The simplest example;drive by download style;
Tell people to click interesting links; create some money, funnypics, or p0rn.Once click, they might already being infected or at least oncethey already installed the fake softwareAnother example, rogue antivirus/free AV. And some evenneed you to buy..
Attack Containment/Prevention
If the attack is difficult to be stopped, at least we candecrease the level of the adversaries from time to time
Security is a process, remember!
Attack Containment/Prevention
Honeypotting
Emulating vulnerable machines/services
Depends on your resource or purpose
Attack Containment/Prevention
Honeypotting
Light interaction honeypot
Kippo
Kojoney
Nepenthes/Dionaea
Mwcollect
Attack Containment/Prevention
Malware analysis
Ways of doing analysis
Malware analysis - static and dynamic
Static means we have to decompile or do some reverseengineering exercise
Dynamic however, needs us to execute the malware andmonitor the behavior
Attack Containment/Prevention
Malware analysis
Ways of doing analysis
Malware analysis - static and dynamic
Static means we have to decompile or do some reverseengineering exercise
Dynamic however, needs us to execute the malware andmonitor the behavior
Attack Containment/Prevention
Malware analysis
Ways of doing analysis
Malware analysis - static and dynamic
Static means we have to decompile or do some reverseengineering exercise
Dynamic however, needs us to execute the malware andmonitor the behavior
Attack Containment/Prevention
Encryption in Malware
Finding XOR with XORSearch
Attack Containment/Prevention
Encryption in Malware
Using Amun internal utils
/opt/dionaea/var/dionaea/binaries/4a6e5980ad7d1a4bbe71ec46fa96755e
>> checking binary for known windows API calls
>> checking for plaintext commands or calls >> found plaintext: kernel32
>> found plaintext: CreateProcessA >> found plaintext: GetProcAddress
>> found plaintext: http address
>> checking for windows api calls >> done
/opt/dionaea/var/dionaea/binaries/d7904fa2b3bba7bde11c01073a4b1fdf
>> checking binary for known windows API calls
>> checking for plaintext commands or calls
>> found plaintext: possible windows cmd
>> found plaintext: kernel32
>> found plaintext: GetProcAddress
>> found plaintext: http address
>> checking for windows api calls >> done
/opt/dionaea/var/dionaea/binaries/dd128e54320ce15ab7e3c1f0648740be
>> checking binary for known windows API calls
>> checking for plaintext commands or calls
>> found plaintext: possible windows cmd
>> found plaintext: kernel32
>> found plaintext: GetProcAddress
>> found plaintext: http address
>> checking for windows api calls >> done
Attack Containment/Prevention
Encryption in Malware
Later, grab using XORsearch
dd128e54320ce15ab7e3c1f0648740be
Found XOR 00 position 9DC34: http://broker.adobe.com/Acrobat/index.cgi
Found XOR 00 position E7BE8: http://mail.ru/:StringDatat_play....vk.
Found XOR 00 position E7D7C: http....nk
Found XOR 00 position E7DD0: http://mail.ru/:StringIndex
Found XOR 00 position E7F8C: http. Found XOR 00 position E7F94: http....vk.
Found XOR 00 position E8070: http://win.mail.ru/cgi-bin/auth:StringData
Found XOR 00 position E81A8: http://win.mail.ru/cgi-bin/auth:StringIndex
Found XOR 00 position E8330: https://www.google.com/accounts/ServiceLogin:Strin
...
Found XOR 00 position E84E0: https://www.google.com/accounts/ServiceLogin:Strin
Found XOR 00 position F1B0B: http://www.usertrust.com1.0...U....UTN-USERFirst-H
Found XOR 00 position F1D7B: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl
Found XOR 00 position F1DB5: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0.
Found XOR 00 position F1E04: http://crt.comodoca.com/UTNAddTrustServerCA.crt09.
Found XOR 00 position F1E41: http://crt.comodo.net/UTNAddTrustServerCA.crt0...*
Found XOR 00 position F23BC: http://www.public-trust.com/CPS/OmniRoot.html0...U
Found XOR 00 position F2498: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.c
...
....so on
Attack Containment/Prevention
Encryption in Malware
Finding XOR with xray
Libemu
LibemuFrom Libemu’s website :
Features
executing x86 instructions
reading x86 binary code
register emulation
shellcode execution
shellcode detection
static analysis
win32 api hooking
Using libemu one can:
Benefits
detect shellcodes
execute the shellcodes
profile shellcode behaviour
Libemu
Example of libemu in action
Step 1
Let say we have such collections of PDF exploits . . .
Libemu
Example of libemu in action
Step 2
They are PDF, but the malicious ones . . .
Libemu
Example of libemu in action
Step 3
Checking the PDFs using AV . . .
Libemu
Example of libemu in action
Step 4
Now, using a PDF decoder, we strip the suspected shellcode . . .
Libemu
Example of libemu in action
Step 5
Put them into a blank textfile . . .
Libemu
Example of libemu in action
Step 6
By using libemu’s tool “sctest”
. . .
Libemu
Example of libemu in action
Step 7
We got a nicely drawn flow graph
. . .
Honeypots
SSH-based honeypot
Kippo Honeypot
Honeypots
SSH-based honeypot
Kippo Honeypot
Honeypots
Misc protocol based honeypot-Amun
Amun honeypot I
.::[Amun - Main] ready for evil orders: ::.
.::[Amun - vuln_check] CHECK Incoming: 213.XX.XX.7:31204
(Bytes: 18) ::.
.::[Amun - vuln_check] CHECK Incoming: cisco
(Bytes: 7) ::.
.::[Amun - vuln_check] CHECK Incoming: telnet 213.XX.XX.7 31204
(Bytes: 25) ::.
.::[Amun - vuln_check] CHECK Incoming: cisco
(Bytes: 7) ::.
.::[Amun - vuln_check] CHECK Incoming: 213.XX.XX.7:31204
(Bytes: 18) ::.
.::[Amun - vuln_check] CHECK Incoming: telnet 213.XX.XX.7 31204
(Bytes: 25) ::.
.::[Amun - vuln_check] CHECK Incoming: 213.XX.XX.7:31204
(Bytes: 18) ::.
.::[Amun - vuln_check] CHECK Incoming: cisco
(Bytes: 7) ::.
.::[Amun - vuln_check] CHECK Incoming: telnet 213.XX.XX.7 31204
(Bytes: 25) ::.
.::[Amun - vuln_check] CHECK Incoming: 213.XX.XX.7:31204
(Bytes: 18) ::.
.::[Amun - vuln_check] CHECK Incoming: cisco
(Bytes: 7) ::.
.::[Amun - vuln_check] CHECK Incoming: telnet 213.XX.XX.7 31204
(Bytes: 25) ::.
.::[Amun - shellcode_manager] found langenfeld xor decoder (key: 153) ::.
.::[Amun - shellcode_manager] found langenfeld shellcode (key: 153 port: 56, ip: 222.XX.XX.61) ::.
Honeypots
Misc protocol based honeypot-Amun
Amun honeypot II
Honeypots
Misc protocol based honeypot-Amun
Got something?
.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.
.::[Amun - shellcode_manager] found leimbach tftp download
(key: 19, ip: 115.XX.XX.245, file: ssms.exe) ::.
.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.
.::[Amun - shellcode_manager] found leimbach tftp download
(key: 19, ip: 115.XX.XX.165, file: ssms.exe) ::.
.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.
.::[Amun - shellcode_manager] found leimbach tftp download
(key: 19, ip: 115.XX.XX.168, file: ssms.exe) ::.
.::[Amun - submit_md5] download (tftp://115.XX.XX.165:69/ssms.exe):
e269d0462eb2b0b70d5e64dcd7c676cd (size: 154624) - DCOM ::.
.::[Amun - submit_anubis] could not submit sample to anubis: 404 timed out ::.
.::[Amun - submit_cwsandbox] submit cwsandbox successfull ::.
.::[Amun - shellcode_manager] found leimbach xor decoder (key: 19) ::.
.::[Amun - shellcode_manager] found leimbach tftp download
(key: 19, ip: 115.XX.XX.165, file: ssms.exe) ::.
.::[Amun - submit_md5] download (tftp://115.XX.XX.165:69/ssms.exe):
a3e695427fca4fe11ae06a196286de0b (size: 155648) - DCOM ::.
.::[Amun - submit_anubis] submit anubis successfull ::.
.::[Amun - submit_cwsandbox] submit cwsandbox successfull ::.
Honeypots
Misc protocol based honeypot-Amun
Another caught binaries ;-)
.::[Amun - Main] ready for evil orders: ::.
.::[Amun - shellcode_manager] found furth xor decoder (key: 119) ::.
.::[Amun - ftp_download] ftp waiting data connection on port: 192.168.2.2:60624 ::.
.::[Amun - ftp_download] ftp connect to: 218.xx.xx.227 2689 (user: 123 pass: 123) ::.
.::[Amun - shellcode_manager] found download URL: http://174.xx.xx.11:5688/x.exe ::.
.::[Amun - submit_md5] download (http://174.xx.xx.11:5688/x.exe):
f45285574eb804f7b7431fcbb1323908 (size: 16897) - LSASS ::.
.::[Amun - submit_anubis] submit anubis successfull ::.
.::[Amun - submit_cwsandbox] submit cwsandbox successfull ::.
.::[Amun - shellcode_manager] found furth xor decoder (key: 119) ::.
.::[Amun - ftp_download] ftp waiting data connection on port: 192.168.2.2:62672 ::.
.::[Amun - ftp_download] ftp connect to: 218.xx.xx.227 2689 (user: 123 pass: 123) ::.
Honeypots
Misc protocol based honeypot-Honeytrap
Honeytrap honeypot
BPF s t r i n g i s ’ ( ( tcp [ 1 3 ] & 0x04 != 0 and tcp [ 4 : 4 ] == 0) or( icmp [ 0 ] == 3 and icmp [ 1 ] == 3)) and ( s r c hos t ( 1 9 2 . 1 6 8 . 2 . 2 ) ) ’ .
Logg ing to / opt / honey t rap / honey t rap . l o g .I n i t i a l i z a t i o n complete .
honey t rap v1 . 1 . 0 Copy r i gh t (C) 2005−2009 Ti l lmann Werner <t i l l m a n n . werner@gmx . de>[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 Master p r o c e s s p i d w r i t t e n to / va r / run / honey t rap . p i d .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 C r e a t i n g pcap conne c t i on mon i to r .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 Look ing up d e v i c e p r o p e r t i e s f o r eth0 .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 C r e a t i n g pcap s n i f f e r on eth0 .[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 Us ing a 14 by t e s o f f s e t f o r EN10MB.[2010−06−23 1 0 : 5 1 : 4 3 ] 17993 −−−− Trapping a t t a c k s on eth0 v i a PCAP. −−−−[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 218 . 25 . 1 1 . 2 07 : 6 000 r e q u e s t i n g tcp connec t i on on i1 9 2 . 1 6 8 . 2 . 2 : 1 4 3 3 .[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 Port 1433/ tcp has no e x p l i c i t c o n f i g u r a t i o n .[2010−06−23 1 1 : 0 5 : 3 3 ] 17993 C a l l i n g p l u g i n s b e f o r e dynamic s e r v e r s e tup .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Reque s t i ng tcp s o ck e t .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Socket c r ea t ed , f i l e d e s c r i p t o r i s 16 .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 Se r v e r i s now runn ing wi th u s e r i d 65534 andgroup i d 65534 .[2010−06−23 1 1 : 0 5 : 3 3 ] 18127 L i s t e n i n g on po r t 1433/ tcp .[2010−06−23 1 1 : 0 7 : 3 3 ] 18127 −> 1433/ tcp No incoming connec t i on f o r 120 seconds −s e r v e r t e rm ina t ed .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 Proce s s 17993 r e c e i v e d s i g n a l 17 on p i p e .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 SIGCHILD r e c e i v e d .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 Proce s s 18127 t e rm ina t ed .[2010−06−23 1 1 : 0 7 : 3 3 ] 17993 S i g n a l h and l e r f o r SIGCHLD r e i n s t a l l e d .
Honeypots
Misc protocol based honeypot-Mwcollect
Mwcollect
root@auber:~# mwcollectd -l
_ __ _____ _____ ___ | | | ___ ___| |_ __| |
| ’_ ‘ _ \ \ /\ / / __/ _ \| | |/ _ \/ __| __/ _‘ |
| | | | | \ V V / (_| (_) | | | __/ (__| || (_| |
|_| |_| |_|\_/\_/ \___\___/|_|_|\___|\___|\__\__,_|
Copyright 2009 Georg Wicherski, Kaspersky Labs GmbH <[email protected]>
This program is licensed under the GNU Lesser General Public License.
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/dynserv-nfqueue.so with configuration
/opt/mwcollectd/etc/mwcollectd/dynserv-nfqueue.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/dynserv-mirror.so with configuration
/opt/mwcollectd/etc/mwcollectd/dynserv-mirror.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/filestore-streams.so with configuration
/opt/mwcollectd/etc/mwcollectd/filestore-streams.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/filestore-binaries.so with configuration
/opt/mwcollectd/etc/mwcollectd/filestore-binaries.conf...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/shellcode-libemu.so with no configuration...
[2010-06-23 11:44:23 INFO] Creating 1 shellcode testing threads.
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/download-tftp.so with no configuration...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/download-curl.so with no configuration...
[2010-06-23 11:44:23 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/submit-mwserv.so with configuration
/opt/mwcollectd/etc/mwcollectd/submit-mwserv.conf...
[2010-06-23 11:44:24 SPAM] Loading module /opt/mwcollectd/lib/mwcollectd/log-file.so with no configuration...
[2010-06-23 11:44:27 EVENT] ["download.result.success":xxx]
{ url = "https://xxx.mwcollect.org/xxx", response = "OK: 120", type = "submit-mwserv.xxx" }
Honeypots
Misc protocol based honeypot-Nepenthes
Nepenthes honeypot
# #
Nepenthes Ampullaria
# #
Nepenthes Version 0.2.2
Compiled on Linux/x86 at Dec 13 2009 18:59:06 with g++ 4.4.2
Started on notre-dame running Linux/i686 release 2.6.32-23-generic
..........
[ spam down handler module ] <in virtual bool nepenthes::CSendDownloadHandler::Init()>
[ debug down mgr ] Registerd csend download handler as handler for protocol csend
(1 protocols supported)
[ debug down mgr ] Registerd creceive download handler as handler for protocol creceive
(2 protocols supported)
[ debug down mgr ] Registerd ftp download handler as handler for protocol ftp
(3 protocols supported)
[ debug down mgr ] Registerd http download handler as handler for protocol http
(4 protocols supported)
Honeypots
Misc protocol based honeypot-Dionaea
Dionaea honeypot
root@auber:~# dionaea -l all,-debug -L ’*’
Dionaea Version 0.1.0
Compiled on Linux/x86 at Jun 15 2010 10:44:57 with gcc 4.4.3
Started on auber running Linux/i686 release 2.6.32-22-generic
[23062010 11:41:06] dionaea dionaea.c:574: glib version 2.24.1
[23062010 11:41:06] dionaea dionaea.c:578: libev api version is 3.9
[23062010 11:41:06] dionaea dionaea.c:593: libev backend is epoll
[23062010 11:41:06] dionaea dionaea.c:596: libev default loop 0x2c11e0
....
[23062010 11:41:06] logxmpp dionaea/logxmpp.py:130:
I am [email protected]/rgzUXgqL
[23062010 11:41:06] dionaea dionaea.c:727: Installing signal handlers
[23062010 11:41:06] dionaea dionaea.c:745: Creating 2 threads in pool
...
[23062010 11:41:18] logxmpp dionaea/logxmpp.py:320:
trying to join [email protected]/anonymous-rgzUXgqL
[23062010 11:41:18] logxmpp dionaea/logxmpp.py:320:
trying to join [email protected]/anonymous-rgzUXgqL
[23062010 11:41:19] logxmpp dionaea/logxmpp.py:346: logxmpp is online!
Special section - Dionaea
Dionaea-some features
Supports ipv4 and ipv6
Uses libemu
Enable binaries sharing (needs to enable XMPP support)
Uses SQLite, no need for log parsing skill-fu
That means, you can leech somebody else’s binaries and seedyours to them
Special section - Dionaea
Succesful downloads
Special section - Dionaea
SQLite
SQLite in Dionaea
Special section - Dionaea
SQLite
Special section - Dionaea
SQLite
Visualization
Filter out important stuffs
Visualization
Gnuplot
Plot to Gnuplot
Visualization
Gnuplot
Visualization
Gnuplot
Visualization
Afterglow+Graphviz
Afterglow+Graphviz
Visualization
Dionaea in action
Interpreting outputs
Some statistics of incoming IPs
The following IPs are just examples
najmi@auber : ˜ $ f o r i i n ‘ awk −F” |” { ’ p r i n t $1 ’} r emotehos t . t x t ‘ ;do echo $ i ‘ g eo i p l ookup $ i | awk −F ”GeoIP Country Ed i t i o n ” { ’ p r i n t $2 ’} ‘ ; done
8 5 . 1 9 0 . 0 . 3 : DE, Germany90 . 213 . 218 . 76 : GB, Un i ted Kingdom121 . 15 . 166 . 237 : CN, China60 . 63 . 2 17 . 2 00 : CN, China58 . 23 . 1 84 . 1 04 : CN, China218 . 28 . 19 . 2 29 : CN, China124 . 106 . 189 . 225 : PH, P h i l i p p i n e s140 . 211 . 166 . 4 : US , Un i ted S t a t e s8 9 . 1 6 . 1 76 . 1 6 : GB, Un i ted Kingdom58 . 2 5 . 3 9 . 2 21 : CN, China75 . 7 5 . 1 8 . 5 3 : US , Un i ted S t a t e s221 . 212 . 121 . 68 : CN, China89 . 211 . 159 . 43 : QA, Qatar212 . 117 . 163 . 190 : LU , Luxembourg213 . 161 . 196 . 11 : FR , France125 . 60 . 241 . 174 : PH, P h i l i p p i n e s218 . 59 . 235 . 146 : CN, China
Interpreting outputs
Some statistics of incoming IPs
Sorting datasets I
najmi@auber : ˜ $ ca t l i s t | s o r t −d | un iq −c | s o r t −n1 FI , F i n l a nd1 GR, Greece1 HK, Hong Kong1 LU , Luxembourg1 MO, Macau1 MX, Mexico1 PK, Pak i s t an1 RS , S e r b i a1 RU, Rus s i an F ed e r a t i o n1 SG , S ingapo r e2 AU, A u s t r a l i a2 CO, Colombia2 CR, Costa R ica2 ES , Spa in2 IR , I r an , I s l am i c Repub l i c o f2 NO, Norway2 QA, Qatar2 SE , Sweden2 TH, Tha i l and2 TW, Taiwan3 BN, Brune i Darussa lam3 BR, B r a z i l3 DE, Germany3 GB, Un i ted Kingdom3 KR, Korea , Repub l i c o f4 CA, Canada
Interpreting outputs
Some statistics of incoming IPs
Sorting datasets II
4 IT , I t a l y5 FR , France5 IP Address not found5 PH, P h i l i p p i n e s6 VN, Vietnam8 IN , I n d i a9 EG, Egypt13 JP , Japan15 TR, Turkey17 MY, Ma lay s i a21 PE , Peru24 US , Un i ted S t a t e s115 CN, China
Interpreting outputs
Some statistics of incoming IPs
Checking downloaded binaries
We can use any AV or in Linux simply the CLI based AV, or some otheroptions, such as the following Ruby-based script fromhttp://hammackj.com/2010/02/22/tool-virustotal-rb/;
$cat f i l e042774 a2b7784ee0 f7462e3ce721ec0 f
$ . / v i r u s t o t a l . rb −f f i l e042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : a−squa red Re s u l t :Trojan−Dropper . Win32 . Paradrop ! IK042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : AhnLab−V3 Re su l t :Win32/Korgo . worm .10879
042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : An t iV i r R e s u l t : Worm/Korgo . I042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Ant iy−AVL Re su l t :Worm/Win32 . Padobot . gen042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Authentium Re su l t : W32/Korgo . I042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Avast Re s u l t : Win32 : Korgo−G042774 a2b7784ee0 f7462e3ce721ec0 f : Scanner : Avast5 Re s u l t : Win32 : Korgo−G
- e n d -&
Õ�º
�Ë @ �Qº
��
�