Visualizing your Honeypot Data

Wasim Halani◦ Security Analyst @ Network Intelligence India

(http://www.niiconsulting.com/)◦ Interests Exploit development Malware Analysis

Harsh Patel◦ Student @ Symbiosis center for Information

technology.◦ Interest Anything and everything about security

A deliberately vulnerable system, placed on the network ◦ Lure attackers towards itself◦ Capture the malwares sent to the network/system◦ Help in offline analysis

Types◦ Low Interaction ◦ High Interaction

NepenthesFE is a front end to the low interaction honeypot ‘nepenthes’

Originally developed by Emre Bastuz

Helps in cataloguing malware collected using nepenthes

Has modules which performs operations to automate some aspects of malware analysis

Our Nepenthes honeypot provided only minimal data about the captured binaries◦ File hash (MD5)◦ Attacker IP◦ File Name◦ ...

What next? Is that all the value a honeypot can provide?

Lenny Zeltser◦ ‘What to include in a Malware Analysis Report?’ http://zeltser.com/reverse-malware/malware-analysis-report.html

Summary of Analysis Identification Characteristics Dependencies Behavioral & Code Analysis Screenshots Recommendations

Once we have captured the binary, we’re still left with doing the routine basic stuff◦ strings, file, virustotal, geo-ip ...

Can’t we automate it!?

Enter ‘NepenthesFE’◦ Basic analysis like filetype, hashes, ASCII strings,

packer information, geographical information

Analyzing malware sample ‘b.aaa’

Provide a statistical output of data collected◦ How many times has ‘a’ malware hit us?

Provide visualization of origin of malware◦ Which malwares originate from a single country

To determine and focus on the number of new attacks on to the system

Provide a framework to automate initial static analysis◦ Is it packed?◦ Any recognizable ASCII strings in the binary

Integrate with the Nepenthes honeypot◦ Integration with multiple sensors possible

Statistical count of malware hits AfterGlow diagrams◦ Country of Origin◦ ASN

Provide details of the attacking IP ◦ GEO IP database ◦ Google maps

Can be extended with custom modules for static malware analysis on real time◦ Packer Information◦ ‘Strings’

Anti-virus scanning (for known malwares)

Based on Sample (malware)◦ VirusTotal Scanning API◦ Bit defender scanning◦ Unix based commands execution like File,

objdump, UPX and string◦ *nix based custom script execution to find out

details like Packer Information, PE information and entropy analyser

Based on Instance (Information about the attacker)◦ GEO IP database◦ ASN Information Mapping of ASN to Robtex Mapping of ASN to Phishtank Visualization of attack vectors from a ASN

number◦ Visualisation of attack vectors from a IP address

Install Nepenthes Honeypot sensor http://nepenthes.carnivore.it/

Refer to our first report at IHP http://www.honeynet.org.in/reports/KK_Project1.pdf

List of packages are :-◦ Build essentials◦ Apache2◦ Libapache2-mod-php5◦ phppear◦ Mysql-server-5.1◦ Php5-msql◦ Php5-mhash◦ Php5-dev◦ Upx-ucl◦ File

List of packages are :-◦ geoip-bin◦ rrdtool (for Graphs)◦ Librrd2 (for Graphs)◦ Librrd2-dev (for Graphs)◦ Python-pefile (for Pefile module)◦ Python-all (for Pefile module)◦ Bitdefender-scanner (for bit-defender

scanning)◦ graphviz (for visualization)

And Lots of Configuration....

Modify the ‘submit-http.conf’ file in /etc/nepenthes

Download the freely available database from MaxMind◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

Get the Google API Key http://code.google.com/apis/maps/signup.html

PEFile◦ http://code.google.com/p/pefile/

Packerid.py◦ Requires ‘peid’ database (signatures)◦ http://handlers.dshield.org/jclausing/

UPX◦ http://upx.sourceforge.net/

‘file’ : apt-get install file ‘strings’ ‘obj-jump’ These executeables (chmod +x) should be accessible to

NFE◦ Place them in /usr/bin/ folder if needed

Analysis Report Nepenthes Nepenthes + FE

File name Yes Yes

Unique Identification –Hashes

MD5,SHA512 MD5, SHA512, (possibly ssdeep)

Malware Name (Family) No VirusTotal, Bitdefender (free Linux AV scanners)

Binary File Type No ‘file’

Malware Origin IP address Geo-location data

Screenshots None GoogleMaps, AfterGlow graphs, Robtex graphs

Is it packed? Which Packer?

No packerid.py, UPX

Statistics No Yes (hit counts,RRD graphs)

Analyzing malware sample‘b.aaa’

Works only with Nepenthes honeypot

No search functionality

VirusTotal functionality is broken (new API released by VT recently)

Report cannot be exported

Open-source◦ Requires volunteers◦ Current version – 0.04 (Releasing v0.05 today)

Complete documentation available at:◦ http://www.niiconsulting.com/nepenthesfe/

Implementation of a central NepenthesFE for multiple Nepenthes sensors ◦ As part of the Indian Honeynet Project (IHP) http://honeynet.org.in/

Submit the malware to a sandbox environment to retrieve more in-depth analysis

wasimhalani@gmail.comhar.duro@gmail.com