Ethical Hacker Community Forums

Peoples,

I've recently put a Nepenthes (http://nepenthes.mwcollect.org/) server into production. There were several reasons for this, from trying to get a better view of what's out there, training resources and just 'for fun' (yes I'm a bit strange).

Unfortunately, the server is being too successful and is providing more samples than I can analyse in the timeframe available. Can anyone provide tips so that I can quickly identify and focus on the 'interesting' samples rather than spend time and resources investigating 'garden variety' malware?

Any advice appreciated, thanks in advance.
RR

First run the executable through a service like virustotal.com. This will allow you to determine if it has been seen in the wild before and how well detected it is. It will also give you an indication as to it's function. Is it a dropper? If so you might want to run it to see what files it installs.

Also, check the MD5 of the executable on a site like offensivecomputing.net. All malware submissions to the site are named with the MD5 of the file. This will give you an idea of how new the sample is and if anyone has already unpacked and analyzed it.

Are you looking for specific samples or just anything that comes across your honeypot. You might want to modify the config of nepenthes to only simulate certain services on specific OSes. This will reduce some of the data you get. Also, automate your submissions to one of the sandbox analysis sites like Norman. This speeds up initial analysis.

dean

Initially you have to work really hard and analyse as much malware as you can. After some time you'll get a feel about what is interesting and what is not.

Dean,

thanks for the info, I hadn't come across offensivecomputing.net (looking the link I'm not sure how I've missed it). Hopefully should help me out.

One of the reasons I set the box up was to get a better feel for what is out there and what I'm likely to come up against. In this regard I'd like to collect/log everything that hits my box.

My personal interest in malware is directed towards botnets, so ideally I'd like to limit my actual analysis to these.

From looking through the nepenthes arcitecture I assume that I am correct in my understanding that it emulates specific vulnerabilities? If this is the case how effective is it at finding 'zero-day' malware? How often are new vulnerabilities updated to catch malware using more recent exploits?

Shakumi,
I was afraid someone was going to tell me that :'(

Nepenthes is a low interaction honeypot. As such it can only simulate known vulnerable services. As it can only simulate a known vuln it will not catch an 0day exploit. What it will capture is the initial network traffic of the exploit before it 'changes direction' and diverges from the vulnerability being emulated. This traffic is captured via the portwatch module. Ideally, you would want a high interaction (actual system) honeypot to see exactly what this malware would attempt to exploit. Look at the genIII honeypot/net from the honeynet project if you want a high interaction honeypot.

Look into the submission module that allows you to submit samples to Norman and CWsandbox automatically. This will speed up initial analysis.

Also, be aware that most malware (even 'unknown' variants) will likely use known exploit(s) to spread. This does not mean that the malware itself is not new. I have a sample currently that after two weeks is still only detected by 5 out of 32 AVs. This sample spread through an sequence of iframes and javascript/VB on about 4 different sites. Multiple known exploits were offered up based on the browser type, OS, 3rd party app, etc... to exploit the system in order to finally download and run it.

A lot of malware (the latest stormworm iteration for example) will use two or more stages to download the malware onto the system. The initial exe can end up being the only way to get the final payload.

/dean

Dean,

thanks for the additional pointers (from previous forum threads I had a feeling you would be the man with the information ;) ).

I'll take a better look submission module. The server was built following the guide from the ShadowServer Foundation (found here (http://www.shadowserver.org/wiki/pmwiki.php?n=Involve.BuildAHoneypot)), whilst I now have a working honeypot I'm still new to this aspect of malware research.

Following your previous advice I went over to offensive computing to search the database for my binaries but non have been found (searched via md5). I'm assuming that this is a normal state of affairs rather than me just getting a large volume of interesting and unknown malware strains?

I'm working on my possibly incorrent understanding. For downloading the final payload from multi-stage malware is this something that can be automated through high-interaction honeypots, or is this typically something that would be gained via behavioural analysis in a lab?

Thanks again for the assistance and apologises for the n00by questions.
RR

A common theme in malware today is dynamic code generation and custom packing. All this is automated now. One interesting example I found was a site that dynamically generated malicious javascript and shellcode when it was accessed. Each visit would produce code with unique variables and even the shellcode was changed each time.

This might be why your examples are not showing up on offensivecomputing. One char different will change the hash.

Run your samples through:

Virustotal
Norman Sandbox
CWsandbox

if they have been submitted before the sites will let you know. If not an analysis will be done automatically.

A high intereaction honeypot will execute the malware and if that malware is a dropper for additional malware then that will also be downloaded and installed.

I would suggest reading up on the various types of honeypots available, including client honeypots. Also, realize that if you run a high interaction honeypot that the potential for it to be used to attack another host is there.

http://www.securityfocus.com/infocus/1897/1 <-- this is not a bad intro to the different options available to you.

I'll take another look at the submission modules (thought I had configured the norman sandbox module but I must have an error in my config somewhere :( ).

The article you linked was an interesting read, I've now got a long list of new bookmarks for further research. Unfortunately I am currently unable to implement a high-interaction machine as I only have authorisation for this project providing I can ensure that it will not be able to have a negative impact on the rest of my environment, hence the original choice of low-interaction.

Thanks again for the assistance, hopefully I'll have some interesting findings to share soon

If you want to make this process more exciting, treat it as hunting. Have you watched AVP (Aliens vs Predators). After you got the sample from Nepenthes, you can run it inside a "controlled" and "restricted" network. Then use some sniffing/ids/ips/av tools to observe the life-cycle of the malware, from infection to detection. With this you can build a strong skills about malwares analysis and how to build defenses. For more infomation about manual malware analysis, give it a try here:

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own.html (http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own.html)

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own_10.html (http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own_10.html)

http://extremesecurity.blogspot.com/2008/02/malwares-containment-basics.html (http://extremesecurity.blogspot.com/2008/02/malwares-containment-basics.html)

http://extremesecurity.blogspot.com/2008/02/malwares-containment-level-ii.html (http://extremesecurity.blogspot.com/2008/02/malwares-containment-level-ii.html)

http://extremesecurity.blogspot.com/2008/03/malwares-containment-quarantine.html (http://extremesecurity.blogspot.com/2008/03/malwares-containment-quarantine.html)


http://extremesecurity.blogspot.com (http://extremesecurity.blogspot.com)

Your participation is much appreciated, but this is now your 3rd post and in each one you only offer links to your blog. While I realize that marketing makes the world go 'round, let's not treat EH-Net as your own marketing arm.

Looking forward to your continued contributions,
Don

Don will be leaving us soon to become the next Secretary of State  ;D