Use Nepenthes Honeypots to detect common malware

Introduce

Over the past few years, a large number of serious bugs in the Windows operating system have been discovered. Like MS03-026, exploited and dispersed by the Blaster worm in 2003; Or recently, Mocbot / Wargbot worm, exploiting the MS06-040 vulnerability since August 2006. The number of different malware components exploiting these vulnerabilities increases rapidly after each time. Many worms come from its previous variants, and most are in bot families such as Agobot, Phatbot, Sdbot . We all know, bots are a collection of computers that are hijacked using in the same botnet for nefarious purposes.

Use Nepenthes Honeypots to detect common malware Picture 1 Source: outer-court " Over a four-month period, we collected more than 15,500 unique binaries, corresponding to 1,400 MB of data. Unique in context based on different MD5sums parameters of binary code Baecher wrote.

Then the malware detection rate ranged from 73% to 84% with four different antivirus tools. Obviously, relying on antivirus software is not always effective.

In this article we describe how a specific, low-interaction honeypot, Nepenthes, is used to quickly alert an administrator when a network error occurs. The first is the ability to pack malware and support both blocking and eliminating infringement.

The IDS warning is useful for searching in-depth scans

Some of the most dangerous worms of recent years are based on Windows service errors. Such as Blaster, Sasser, Welchia and Slammer - the main cause of a large amount of downtime and reduced commercial business performance in the world.

Hopefully the reader of Intrusion Detection System (IDS) is able to detect many new worms and there are many more port scans, which can help discover more. In the case of Blaster, each host that is attacked will be sent about 10 packets per second to port 135 / tcp. That's all but enough for the warning snort to detect the problem, even before the Blaster signal is created.

Some discoveries about bots

The main difference between a bot and a worm is that the bot has a central control channel, which provides commands for the compromised machine, which is usually completed via IRC. These bots have similar scanning operations as mentioned earlier in depth. However, they mainly control via IRC and only start scanning or exploiting on the command line. In a specific session, an IDS can also choose C&C traffic type. A successful exploit was reported as: [SCAN]: Exploited yyy.yyy.123.45 .

Generally a bot is usually quite quiet until it is assigned to scan a specific network:

# (4 - 1329104) [2005-03-25 03: 39: 49.297] [snort / 2001372]
BLEEDING-EDGE IRC Trojan Reporting (Scan)
IPv4: yyy.yyy.231.32 -> zzz.zzz.163.59
hlen = 5 TOS = 0 dlen = 168 ID = 18140 flags = 0 offset = 0 TTL = 127 chksum = 56572
TCP: port = 3023 -> dport: 8000 flags = *** AP *** seq = 1483308911
ack = 501861482 off = 5 res = 0 win = 64331 urp = 0 chksum = 51363

Payload: length = 128
000: 50 52 49 56 4D 53 47 20 23 61 73 74 72 6F 20 3A PRIVMSG #astro:
010: 5B 53 43 41 4E 5D 3A 20 52 61 6E 64 6F 6D 20 50 [SCAN]: Random P
020: 6F 72 74 20 53 63 61 6E 20 73 74 61 72 74 65 64 ort Scan started
030: 20 6F 6E 20 yy yy yy 2E yy yy yy 2E 78 2E 78 3A on yyy.yyy.xx:
040: 34 34 35 20 77 69 74 68 20 61 20 64 65 6C 61 79 445 with a delay
050: 20 6F 66 20 35 20 73 65 63 6F 6E 64 73 20 66 6F of 5 seconds fo
060: 72 20 30 20 6D 69 6E 75 74 65 73 20 75 73 69 6E r 0 minutes usin
070: 67 20 32 30 30 20 74 68 72 65 61 64 73 2E 0D 0A g 200 threads .

Another bot recorded by Daniel Cid uses Google to search for potential vulnerabilities when installing Mambo. That means port scanning to find new destinations is no longer needed. Therefore an administrator should not rely solely on port scanning solutions when looking for bots. The information section is transferred via IRC and takes the form:

"PRIVMSG #ch: [GOOGLE] Trying big
Exploit http://www.example.com/index.php "

Bot is not always as easy to scan as a worm. Because they can lie dormant for long periods of time and only start triggering IDS alerts when instructed to spread to other machines.

Use honeypots to find bots

Use Nepenthes Honeypots to detect common malware Picture 2 Source: net-security With most scanning worms and bots, many traffic are targeted for expansion. In this case, you should put the large size scanning models into the IDS log. But at the end of the day, these bots will scan your local network, looking for more system vulnerabilities to attack.

The best honeypot program that helps you with this is Nepenthes, which runs on a UNIX server, providing a variety of Windows simulation services to trick automated attacks. Nepenthes will try to download the malicious payload and provide an option to automatically bring it to the Norman sandbox. You will then receive a record of the malware properties sent to the provided e-mail address.

If you run Nepenthes on the open machine, you will quickly know how many malware floating on the net. Currently there are many different variants of some bot families such as SpyBot, Agobot . Many antivirus programs haven't detected a significant number of these bots. Maybe people are not happy, but Nepenthes becomes especially useful.

Install and configure Nepenthes

Readers using Debian Linux have a pre-built package, in the unstable branch it is often used to install Nepenthes. Users of other systems can refer to the documentation for more details on building packages. If you don't like to build it yourself, there are some built-in Debian images for VMWware that only require a minimal amount of operation to install Nepenthes. (You can use BitTorrent links as well).

After installing Nepenthes, consider editing /etc/nepenthes/nepenthes.conf and don't comment on "submitnorman.so" , "submit-norman.conf" , "" to use Norman sandbox. The content of the file submit-norman.conf takes the form:

submit-norman
{
// the e-mail address of the nornam sandbox reports will be sent; For example
email " my.email@example.com ";
};

Each submission to review will be sent to Norman's smart online sandbox to perform runtime analysis and send a copy of the results by e-mail. This can give you very useful information about the operation of the binary code when not executing and detecting it in your virtual machine or reversing the process of building it.

When Nepenthes starts and starts running, it will be heard on a large number of regular TCP / IP ports, as follows:

#lsof -i
nepenthes 25917 nepenthes 6u IPv4 162588 TCP *: smtp (LISTEN)
nepenthes 25917 nepenthes 7u IPv4 162589 TCP *: pop3 (LISTEN)
nepenthes 25917 nepenthes 8u IPv4 162590 TCP *: imap2 (LISTEN)
nepenthes 25917 nepenthes 9u IPv4 162591 TCP *: imap3 (LISTEN)
nepenthes 25917 nepenthes 10u IPv4 162592 TCP *: ssmtp (LISTEN)
.

Use Nepenthes

Whenever the Nepenthes sensor detects an attack, Nepenthes will try to download a copy of the malware and put it into the Norman sandbox for review. This is part of a report on an IRC bot:

[Network services]
* Looks for an Internet connection.
* Connects to xxx.example.net on port 7654 (TCP).
* Sends data stream (24 bytes) to remote address xxx.example.net, port 7654.
* Connects to IRC Server.
* IRC: Uses nickname xxx.
* IRC: Uses username xxx.
* IRC: Joins channel #xxx with password xxx.
* IRC: Sets the usermode for user xxx to .

As you can see, implementing the same type of analysis by detecting code or reverse engineering malware is much easier. Some malware, such as Agobot, has an anti-error code that prevents the sandbox from performing analysis. In this case, you may need to use your favorite antivirus program. If all else fails, you should download the binary code for Virus Total. Information on binary code of the top twenty or more antivirus products will be provided to you.

Encapsulated binaries are named after their md5sums. On Debian these codes are found in / var / lib / nepenthes / binaries :

# ls / var / lib / nepenthes / binaries /
01a7b93e750ac9bb04c24c739b09c0b0 547765f9f26e62f5dfd785038bb4ec0b
99b5a3628fa33b8b4011785d0385766b 055690bcb9135a2086290130ae8627dc
54b27c050763667c2b476a1312bb49ea .

Log files also provide location and how each binary code is stored:

# tail -1 / var / log / nepenthes / logged_submissions
[2006-07-05T20: 37: 52]
ftp: // ftp: password@xxx.info: 21 / host.exe eb6f41b9b17158fa1b765aa9cb3f36a0

If your anti-virus vendor doesn't see the threat at this point, you should provide them with a specific example to get a quick update soon. That allows you to entrust cleaning work to the technician more easily but should allow for a moderate level of dispersal.

The result is Nepenthes

The New Zealand Honeynet Project has installed a Nepenthes honeypot version 0.17 running on an unstable Debian platform. It listens to over 255 IP addresses, / 24 network prefixes. Over 5 days, it collected 74 different samples distinguished by the MD5 hash of the binary codes. Of which only 48 samples were identified by an antivirus program as malware on the last day. In the samples collected there are many known worms such as Korgo, Doomjuice, Sasser and Mytob. The remaining worms are IRC bots in some sort order like SDBot, Spybot, Mybot and Gobot. Most binary code classified as worms and bots has some IRC backdoor functionality. If you take a closer look at these patterns you will find that they can also be executed by the reader.

Conclude

There are many patches that have been provided for Windows to fix remote exploitation issues. Even with a good patch management system, many of your local hosts may still not be able to use these patches. Due to configuration errors, human errors or because they are in the process of reinstalling. A large number of different binary malware existed that could exploit the vulnerability to increase access to unimproved machines. Source code for malware, the great advantage of black hat hackers with many different variants exists that not all conventional antivirus software is detectable.

A low interactive honeypot like Nepenthes is easy to install and requires only minimal maintenance or maintenance. It provides valuable information about attacks. When used in conjunction with the intrusion detection system, valuable information about malware activity, packet encapsulation and binary self-encrypting malware will be more.