Visualizing your Honeypot Data
   Wasim Halani    ◦ Security Analyst @ Network Intelligence India      (http://www.niiconsulting.com/)    ◦ Interests   ...
   A deliberately vulnerable system, placed on    the network    ◦ Lure attackers towards itself    ◦ Capture the malware...
   NepenthesFE is a front end to the low    interaction honeypot ‘nepenthes’   Originally developed by Emre Bastuz   He...
   Our Nepenthes honeypot provided only    minimal data about the captured binaries    ◦   File hash (MD5)    ◦   Attacke...
   Lenny Zeltser    ◦ ‘What to include in a Malware Analysis Report?’      http://zeltser.com/reverse-malware/malware-an...
   Once we have captured the binary, we’re still    left with doing the routine basic stuff    ◦ strings, file, virustota...
Analyzing malware sample         ‘b.aaa’
   Provide a statistical output of data collected    ◦ How many times has ‘a’ malware hit us?   Provide visualization of...
   Integrate with the Nepenthes honeypot    ◦ Integration with multiple sensors possible   Statistical count of malware ...
   Can be extended with custom modules for    static malware analysis on real time    ◦ Packer Information    ◦ ‘Strings’...
   Based on Sample (malware)    ◦ VirusTotal Scanning      API    ◦ Bit defender scanning    ◦ Unix based commands execu...
   Based on Instance (Information about the    attacker)    ◦ GEO IP database    ◦ ASN Information      Mapping of ASN t...
   Install Nepenthes Honeypot sensor      http://nepenthes.carnivore.it/   Refer to our first report at IHP      http:...
   List of packages are :-    ◦   Build essentials    ◦   Apache2    ◦   Libapache2-mod-php5    ◦   phppear    ◦   Mysql-...
   List of packages are :-    ◦ geoip-bin    ◦ rrdtool                       (for Graphs)    ◦ Librrd2                   ...
   Modify the ‘submit-http.conf’ file in    /etc/nepenthes
   Download the freely available database from    MaxMind    ◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity...
   Get the Google API Key      http://code.google.com/apis/maps/signup.html
   PEFile    ◦ http://code.google.com/p/pefile/   Packerid.py    ◦ Requires ‘peid’ database (signatures)    ◦ http://han...
Analysis Report        Nepenthes             Nepenthes + FEFile name                 Yes           YesUnique Identificatio...
   Analyzing malware sample‘b.aaa’
   Works only with Nepenthes honeypot    No search functionality   VirusTotal functionality is broken (new API    rele...
   Open-source    ◦ Requires volunteers    ◦ Current version – 0.04 (Releasing v0.05 today)   Complete documentation ava...
wasimhalani@gmail.com har.duro@gmail.com
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Upcoming SlideShare
Loading in …5
×

Real-Time Static Malware Analysis using NepenthesFE

1,487 views

Published on

My presentation slides for International Malware Conference - Malcon 2010 - held in Mumbai, India on 3rd December, 2010

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,487
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Real-Time Static Malware Analysis using NepenthesFE

  1. 1. Visualizing your Honeypot Data
  2. 2.  Wasim Halani ◦ Security Analyst @ Network Intelligence India (http://www.niiconsulting.com/) ◦ Interests  Exploit development  Malware Analysis Harsh Patel ◦ Student @ Symbiosis center for Information technology. ◦ Interest  Anything and everything about security
  3. 3.  A deliberately vulnerable system, placed on the network ◦ Lure attackers towards itself ◦ Capture the malwares sent to the network/system ◦ Help in offline analysis Types ◦ Low Interaction ◦ High Interaction
  4. 4.  NepenthesFE is a front end to the low interaction honeypot ‘nepenthes’ Originally developed by Emre Bastuz Helps in cataloguing malware collected using nepenthes Has modules which performs operations to automate some aspects of malware analysis
  5. 5.  Our Nepenthes honeypot provided only minimal data about the captured binaries ◦ File hash (MD5) ◦ Attacker IP ◦ File Name ◦ ... What next? Is that all the value a honeypot can provide?
  6. 6.  Lenny Zeltser ◦ ‘What to include in a Malware Analysis Report?’  http://zeltser.com/reverse-malware/malware-analysis-report.html Summary of Analysis Identification Characteristics Dependencies Behavioral & Code Analysis Screenshots Recommendations
  7. 7.  Once we have captured the binary, we’re still left with doing the routine basic stuff ◦ strings, file, virustotal, geo-ip ... Can’t we automate it!? Enter ‘NepenthesFE’ ◦ Basic analysis like filetype, hashes, ASCII strings, packer information, geographical information
  8. 8. Analyzing malware sample ‘b.aaa’
  9. 9.  Provide a statistical output of data collected ◦ How many times has ‘a’ malware hit us? Provide visualization of origin of malware ◦ Which malwares originate from a single country To determine and focus on the number of new attacks on to the system Provide a framework to automate initial static analysis ◦ Is it packed? ◦ Any recognizable ASCII strings in the binary
  10. 10.  Integrate with the Nepenthes honeypot ◦ Integration with multiple sensors possible Statistical count of malware hits AfterGlow diagrams ◦ Country of Origin ◦ ASN Provide details of the attacking IP ◦ GEO IP database ◦ Google maps
  11. 11.  Can be extended with custom modules for static malware analysis on real time ◦ Packer Information ◦ ‘Strings’ Anti-virus scanning (for known malwares)
  12. 12.  Based on Sample (malware) ◦ VirusTotal Scanning  API ◦ Bit defender scanning ◦ Unix based commands execution like File, objdump, UPX and string ◦ *nix based custom script execution to find out details like Packer Information, PE information and entropy analyser
  13. 13.  Based on Instance (Information about the attacker) ◦ GEO IP database ◦ ASN Information  Mapping of ASN to Robtex  Mapping of ASN to Phishtank  Visualization of attack vectors from a ASN number ◦ Visualisation of attack vectors from a IP address
  14. 14.  Install Nepenthes Honeypot sensor  http://nepenthes.carnivore.it/ Refer to our first report at IHP  http://www.honeynet.org.in/reports/KK_Project1.pdf
  15. 15.  List of packages are :- ◦ Build essentials ◦ Apache2 ◦ Libapache2-mod-php5 ◦ phppear ◦ Mysql-server-5.1 ◦ Php5-msql ◦ Php5-mhash ◦ Php5-dev ◦ Upx-ucl ◦ File
  16. 16.  List of packages are :- ◦ geoip-bin ◦ rrdtool (for Graphs) ◦ Librrd2 (for Graphs) ◦ Librrd2-dev (for Graphs) ◦ Python-pefile (for Pefile module) ◦ Python-all (for Pefile module) ◦ Bitdefender-scanner (for bit-defender scanning) ◦ graphviz (for visualization) And Lots of Configuration....
  17. 17.  Modify the ‘submit-http.conf’ file in /etc/nepenthes
  18. 18.  Download the freely available database from MaxMind ◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
  19. 19.  Get the Google API Key  http://code.google.com/apis/maps/signup.html
  20. 20.  PEFile ◦ http://code.google.com/p/pefile/ Packerid.py ◦ Requires ‘peid’ database (signatures) ◦ http://handlers.dshield.org/jclausing/ UPX ◦ http://upx.sourceforge.net/ ‘file’ : apt-get install file ‘strings’ ‘obj-jump’ These executeables (chmod +x) should be accessible to NFE ◦ Place them in /usr/bin/ folder if needed
  21. 21. Analysis Report Nepenthes Nepenthes + FEFile name Yes YesUnique Identification – MD5,SHA512 MD5, SHA512, (possibly ssdeep)HashesMalware Name (Family) No VirusTotal, Bitdefender (free Linux AV scanners)Binary File Type No ‘file’Malware Origin IP address Geo-location dataScreenshots None GoogleMaps, AfterGlow graphs, Robtex graphsIs it packed? Which No packerid.py, UPXPacker?Statistics No Yes (hit counts,RRD graphs)
  22. 22.  Analyzing malware sample‘b.aaa’
  23. 23.  Works only with Nepenthes honeypot  No search functionality VirusTotal functionality is broken (new API released by VT recently) Report cannot be exported
  24. 24.  Open-source ◦ Requires volunteers ◦ Current version – 0.04 (Releasing v0.05 today) Complete documentation available at: ◦ http://www.niiconsulting.com/nepenthesfe/ Implementation of a central NepenthesFE for multiple Nepenthes sensors ◦ As part of the Indian Honeynet Project (IHP)  http://honeynet.org.in/ Submit the malware to a sandbox environment to retrieve more in-depth analysis
  25. 25. wasimhalani@gmail.com har.duro@gmail.com

×