The document discusses the implementation and functionality of the Nepenthes honeypot, a system designed to attract and analyze cyber-attacks. It highlights the use of Nepenthesfe, a front-end tool for automated malware analysis, detailing its capabilities in data collection, visualization, and integration with various analysis tools. Additionally, it outlines the required packages and configuration necessary for setting up the Nepenthes honeypot sensor for effective malware monitoring and reporting.

1. Visualizing your Honeypot Data

2.  Wasim Halani
◦ Security Analyst @ Network Intelligence India
(http://www.niiconsulting.com/)
◦ Interests
 Exploit development
 Malware Analysis
 Harsh Patel
◦ Student @ Symbiosis center for Information
technology.
◦ Interest
 Anything and everything about security

3.  A deliberately vulnerable system, placed on
the network
◦ Lure attackers towards itself
◦ Capture the malwares sent to the network/system
◦ Help in offline analysis
 Types
◦ Low Interaction
◦ High Interaction

4.  NepenthesFE is a front end to the low
interaction honeypot ‘nepenthes’
 Originally developed by Emre Bastuz
 Helps in cataloguing malware collected using
nepenthes
 Has modules which performs operations to
automate some aspects of malware analysis

5.  Our Nepenthes honeypot provided only
minimal data about the captured binaries
◦ File hash (MD5)
◦ Attacker IP
◦ File Name
◦ ...
 What next?
 Is that all the value a honeypot can provide?

6.  Lenny Zeltser
◦ ‘What to include in a Malware Analysis Report?’
 http://zeltser.com/reverse-malware/malware-analysis-report.html
 Summary of Analysis
 Identification
 Characteristics
 Dependencies
 Behavioral & Code Analysis
 Screenshots
 Recommendations

7.  Once we have captured the binary, we’re still
left with doing the routine basic stuff
◦ strings, file, virustotal, geo-ip ...
 Can’t we automate it!?
 Enter ‘NepenthesFE’
◦ Basic analysis like filetype, hashes, ASCII strings,
packer information, geographical information

8. Analyzing malware sample
‘b.aaa’

9.  Provide a statistical output of data collected
◦ How many times has ‘a’ malware hit us?
 Provide visualization of origin of malware
◦ Which malwares originate from a single country
 To determine and focus on the number of new
attacks on to the system
 Provide a framework to automate initial static
analysis
◦ Is it packed?
◦ Any recognizable ASCII strings in the binary

11.  Integrate with the Nepenthes honeypot
◦ Integration with multiple sensors possible
 Statistical count of malware hits
 AfterGlow diagrams
◦ Country of Origin
◦ ASN
 Provide details of the attacking IP
◦ GEO IP database
◦ Google maps

12.  Can be extended with custom modules for
static malware analysis on real time
◦ Packer Information
◦ ‘Strings’
 Anti-virus scanning (for known malwares)

13.  Based on Sample (malware)
◦ VirusTotal Scanning
 API
◦ Bit defender scanning
◦ Unix based commands execution like File,
objdump, UPX and string
◦ *nix based custom script execution to find out
details like Packer Information, PE information
and entropy analyser

14.  Based on Instance (Information about the
attacker)
◦ GEO IP database
◦ ASN Information
 Mapping of ASN to Robtex
 Mapping of ASN to Phishtank
 Visualization of attack vectors from a ASN
number
◦ Visualisation of attack vectors from a IP address

17.  Install Nepenthes Honeypot sensor
 http://nepenthes.carnivore.it/
 Refer to our first report at IHP
 http://www.honeynet.org.in/reports/KK_Project1.pdf

18.  List of packages are :-
◦ Build essentials
◦ Apache2
◦ Libapache2-mod-php5
◦ phppear
◦ Mysql-server-5.1
◦ Php5-msql
◦ Php5-mhash
◦ Php5-dev
◦ Upx-ucl
◦ File

19.  List of packages are :-
◦ geoip-bin
◦ rrdtool (for Graphs)
◦ Librrd2 (for Graphs)
◦ Librrd2-dev (for Graphs)
◦ Python-pefile (for Pefile module)
◦ Python-all (for Pefile module)
◦ Bitdefender-scanner (for bit-defender
scanning)
◦ graphviz (for visualization)
And Lots of Configuration....

20.  Modify the ‘submit-http.conf’ file in
/etc/nepenthes

21.  Download the freely available database from
MaxMind
◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

22.  Get the Google API Key
 http://code.google.com/apis/maps/signup.html

24.  PEFile
◦ http://code.google.com/p/pefile/
 Packerid.py
◦ Requires ‘peid’ database (signatures)
◦ http://handlers.dshield.org/jclausing/
 UPX
◦ http://upx.sourceforge.net/
 ‘file’ : apt-get install file
 ‘strings’
 ‘obj-jump’
 These executeables (chmod +x) should be accessible to
NFE
◦ Place them in /usr/bin/ folder if needed

25. Analysis Report Nepenthes Nepenthes + FE
File name Yes Yes
Unique Identification – MD5,SHA512 MD5, SHA512, (possibly ssdeep)
Hashes
Malware Name (Family) No VirusTotal, Bitdefender (free Linux
AV scanners)
Binary File Type No ‘file’
Malware Origin IP address Geo-location data
Screenshots None GoogleMaps, AfterGlow graphs,
Robtex graphs
Is it packed? Which No packerid.py, UPX
Packer?
Statistics No Yes (hit counts,RRD graphs)

26.  Analyzing malware sample‘b.aaa’

32.  Works only with Nepenthes honeypot 
 No search functionality
 VirusTotal functionality is broken (new API
released by VT recently)
 Report cannot be exported

33.  Open-source
◦ Requires volunteers
◦ Current version – 0.04 (Releasing v0.05 today)
 Complete documentation available at:
◦ http://www.niiconsulting.com/nepenthesfe/
 Implementation of a central NepenthesFE for
multiple Nepenthes sensors
◦ As part of the Indian Honeynet Project (IHP)
 http://honeynet.org.in/
 Submit the malware to a sandbox environment to
retrieve more in-depth analysis

35. wasimhalani@gmail.com
har.duro@gmail.com