-
8/2/2019 Malcon NepentheFE v1.0 Final
1/35
Visualizing your Honeypot Data
-
8/2/2019 Malcon NepentheFE v1.0 Final
2/35
Wasim Halani Security Analyst @ Network Intelligence India
(http://www.niiconsulting.com/)
Interests
Exploit development
Malware Analysis
Harsh Patel Student @ Symbiosis center for Information
technology.
Interest Anything and everything about security
-
8/2/2019 Malcon NepentheFE v1.0 Final
3/35
A deliberately vulnerable system, placed onthe network Lure
attackers towards itself
Capture the malwares sent to the network/system
Help in offline analysis
Types Low Interaction
High Interaction
-
8/2/2019 Malcon NepentheFE v1.0 Final
4/35
NepenthesFE is a front end to the lowinteraction honeypot
nepenthes
Originally developed by Emre Bastuz
Helps in cataloguing malware collected usingnepenthes
Has modules which performs operations toautomate some aspects of
malware analysis
-
8/2/2019 Malcon NepentheFE v1.0 Final
5/35
Our Nepenthes honeypot provided onlyminimal data about the
captured binaries File hash (MD5)
Attacker IP File Name
...
What next?
Is that all the value a honeypot can provide?
-
8/2/2019 Malcon NepentheFE v1.0 Final
6/35
Lenny Zeltser What to include in a Malware Analysis Report?
http://zeltser.com/reverse-malware/malware-analysis-report.html
Summary of Analysis
Identification Characteristics
Dependencies
Behavioral & Code Analysis Screenshots
Recommendations
http://zeltser.com/reverse-malware/malware-analysis-report.htmlhttp://zeltser.com/reverse-malware/malware-analysis-report.html
-
8/2/2019 Malcon NepentheFE v1.0 Final
7/35
Once we have captured the binary, were stillleft with doing the
routine basic stuff strings, file, virustotal, geo-ip ...
Cant we automate it!?
Enter NepenthesFE
Basic analysis like filetype, hashes, ASCII strings,packer
information, geographical information
-
8/2/2019 Malcon NepentheFE v1.0 Final
8/35
Analyzing malware sampleb.aaa
-
8/2/2019 Malcon NepentheFE v1.0 Final
9/35
Provide a statistical output of data collected How many times
has a malware hit us?
Provide visualization of origin of malware Which malwares
originate from a single country
To determine and focus on the number of newattacks on to the
system
Provide a framework to automate initial static
analysis Is it packed? Any recognizable ASCII strings in the
binary
-
8/2/2019 Malcon NepentheFE v1.0 Final
10/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
11/35
Integrate with the Nepenthes honeypot Integration with multiple
sensors possible
Statistical count of malware hits
AfterGlow diagrams Country of Origin
ASN
Provide details of the attacking IP
GEO IP database Google maps
-
8/2/2019 Malcon NepentheFE v1.0 Final
12/35
Can be extended with custom modules forstatic malware analysis
on real time Packer Information
Strings
Anti-virus scanning (for known malwares)
-
8/2/2019 Malcon NepentheFE v1.0 Final
13/35
Based on Sample (malware) VirusTotal Scanning
API
Bit defender scanning
Unix based commands execution like File,objdump, UPX and
string
*nix based custom script execution to find outdetails like
Packer Information, PE information
and entropy analyser
-
8/2/2019 Malcon NepentheFE v1.0 Final
14/35
Based on Instance (Information about theattacker) GEO IP
database
ASN Information
Mapping of ASN to Robtex
Mapping of ASN to Phishtank
Visualization of attack vectors from a ASNnumber
Visualisation of attack vectors from a IP address
-
8/2/2019 Malcon NepentheFE v1.0 Final
15/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
16/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
17/35
Install Nepenthes Honeypot sensor
http://nepenthes.carnivore.it/
Refer to our first report at IHP
http://www.honeynet.org.in/reports/KK_Project1.pdf
http://nepenthes.carnivore.it/http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://nepenthes.carnivore.it/
-
8/2/2019 Malcon NepentheFE v1.0 Final
18/35
List of packages are :- Build essentials
Apache2
Libapache2-mod-php5
phppear Mysql-server-5.1
Php5-msql
Php5-mhash
Php5-dev Upx-ucl
File
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf
-
8/2/2019 Malcon NepentheFE v1.0 Final
19/35
List of packages are :- geoip-bin rrdtool (for Graphs) Librrd2
(for Graphs)
Librrd2-dev (for Graphs) Python-pefile (for Pefile module)
Python-all (for Pefile module) Bitdefender-scanner (for
bit-defender
scanning)
graphviz (for visualization)
And Lots of Configuration....
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf
-
8/2/2019 Malcon NepentheFE v1.0 Final
20/35
Modify the submit-http.conf file in/etc/nepenthes
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf
-
8/2/2019 Malcon NepentheFE v1.0 Final
21/35
Download the freely available database fromMaxMind
http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf
-
8/2/2019 Malcon NepentheFE v1.0 Final
22/35
Get the Google API Key
http://code.google.com/apis/maps/signup.html
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://code.google.com/apis/maps/signup.htmlhttp://code.google.com/apis/maps/signup.html
-
8/2/2019 Malcon NepentheFE v1.0 Final
23/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
24/35
PEFile http://code.google.com/p/pefile/
Packerid.py Requires peid database (signatures)
http://handlers.dshield.org/jclausing/
UPX http://upx.sourceforge.net/
file : apt-get install file
strings
obj-jump
These executeables (chmod +x) should be accessible toNFE Place
them in /usr/bin/ folder if needed
http://code.google.com/apis/maps/signup.htmlhttp://code.google.com/apis/maps/signup.htmlhttp://code.google.com/apis/maps/signup.htmlhttp://code.google.com/p/pefile/http://handlers.dshield.org/jclausing/http://upx.sourceforge.net/http://upx.sourceforge.net/http://handlers.dshield.org/jclausing/http://code.google.com/p/pefile/
-
8/2/2019 Malcon NepentheFE v1.0 Final
25/35
Analysis Report Nepenthes Nepenthes + FE
File name Yes Yes
Unique Identification Hashes
MD5,SHA512 MD5, SHA512, (possibly ssdeep)
Malware Name (Family) No VirusTotal, Bitdefender (free Linux
AV scanners)Binary File Type No file
Malware Origin IP address Geo-location data
Screenshots None GoogleMaps, AfterGlow graphs,Robtex graphs
Is it packed? WhichPacker?
No packerid.py, UPX
Statistics No Yes (hit counts,RRD graphs)
-
8/2/2019 Malcon NepentheFE v1.0 Final
26/35
Analyzing malware sampleb.aaa
-
8/2/2019 Malcon NepentheFE v1.0 Final
27/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
28/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
29/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
30/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
31/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
32/35
Works only with Nepenthes honeypot
No search functionality
VirusTotal functionality is broken (new APIreleased by VT
recently)
Report cannot be exported
-
8/2/2019 Malcon NepentheFE v1.0 Final
33/35
Open-source Requires volunteers
Current version 0.04 (Releasing v0.05 today)
Complete documentation available at:
http://www.niiconsulting.com/nepenthesfe/ Implementation of a
central NepenthesFE for
multiple Nepenthes sensors As part of the Indian Honeynet
Project (IHP)
http://honeynet.org.in/ Submit the malware to a sandbox
environment to
retrieve more in-depth analysis
http://www.niiconsulting.com/nepenthesfe/http://honeynet.org.in/http://honeynet.org.in/http://www.niiconsulting.com/nepenthesfe/
-
8/2/2019 Malcon NepentheFE v1.0 Final
34/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
35/35
[email protected]@gmail.com
mailto:[email protected]:[email protected]:[email protected]:[email protected]
