Archived Blog

Previous Posts

December 2006

12/18/2006	Potential Skype worm propagating. »
12/15/2006	2027 Security Predictions »
12/13/2006	2007 Security Predictions »
12/08/2006	MOTW: HTML/JS Obfuscation Part II »
12/05/2006	MOTW: Malware Collection: Passive Honeypots »

Archive
+ November 2006
+ October 2006
+ September 2006
+ August 2006
+ July 2006

Passive honeypots function by simulating vulnerable services to entice an attacker out of hiding. Should an attacker attempt to compromise the simulated service on this machine, the attack is intercepted and the malicious payload is collected. This type of honeypot differs from an active ("high interaction") honeypot in that our computer is not actually compromised.

I can’t go into too many details on the proprietary honeypots we use internally. Fortunately, the concepts used by all passive honeypots are similar and there are a number of freely-available honeypot projects that aspiring researchers have access to.

Nepenthes

Nepenthes ( http://nepenthes.mwcollect.org/) is one of these public honeypot projects, and one that I personally took a liking to. It allows me to quickly collect a variety of samples and determine certain patterns in known and unknown shellcode as it is sent across the network.

Once installed, Nepenthes can be configured to listen on a wide range of ports. These services are not actually running on this computer; Nepenthes is simulating vulnerable services in the hope that an attacker comes along and attempts to compromise the server.

More often than not, the attacker is an automated bot or worm, blindly scanning the internet for vulnerable hosts to spread to. This generally does not take very long; an exposed service is typically attacked in under a few minutes.

Beyond the simulated vulnerabilities, Nepenthes allows for various modules to interact with each other to increase the amount of information provided by the honeypot. Proper configuration of these additional modules allows you to get useful information, rather than simply being notified that an attack occurred.

Take this typical attack scenario to understand how the modules function together. An exploit arrives on one of Nepenthes’ listening ports, and is then passed to a vulnerability module. The selected vulnerability module interacts with the attacker to simulate an attack on a real computer, all in an attempt to capture the payload from the attacker.

This payload is then sent to a shellcode module where it is processed to (among other things) extract a URL from the payload. If a URL is found, it is sent to a download module to be retrieved. Any successfully retrieved binaries are then saved in a directory. This entire processed is logged via the logging module, to help get a clear overview of patterns in the collected data.

This automated process allows an extremely large number of probably-malicious files to be collected in a relatively short period of time. Statistics collected by the mwcollect Alliance and displayed at http://www.mwcollect.org/ give some insight into the sheer volume possible here.

To help you deal with the large volume samples received, Nepenthes offers the optional submit-norman module. This module allows captured malware to be automatically submitted to the Norman Sandbox ( http://sandbox.norman.no/) for automated analysis.

Below is sample output returned by the Norman Sandbox:

nepenthes-839699196c1f137e1a143cc03474449a-SDMSiTou.exe: 
    W32/Malware (Signature: W32/Spybot.BATF)

 [ General information ]
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        82944 bytes.
   * MD5 hash: 839699196c1f137e1a143cc03474449a.

 [ Changes to filesystem ]
   * Creates file C:\WINDOWS\SYSTEM32\xagwxzyr.exe.

 [ Changes to registry ]
   * Creates value "Removal"="xagwxzyr.exe" 
       in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
   * Creates value "Removal"="xagwxzyr.exe" 
       in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
   * Creates key "HKCU\Software\Microsoft\OLE".
   * Sets value "Removal"="xagwxzyr.exe" 
       in key "HKCU\Software\Microsoft\OLE".

 [ Network services ]
   * Looks for an Internet connection.
   * Connects to "some.domain.com" on port 9889 (TCP).
   * Connects to IRC Server.
   * IRC: Uses nickname XXXXXXX.
   * IRC: Uses username XXXXXXX
   * IRC: Joins channel #XXXXXX with password XXXXXX
   * IRC: Sets the usermode for user XXXXXXX to -x+Bi.

 [ Security issues ]
   * Possible backdoor functionality [Authenticate] port 113.

 [ Process/window information ]
   * Creates a mutex alaksjdjfhghytueiwowowpqvb.
   * Will automatically restart after boot (I'll be back...).

 [ Signature Scanning ]
   * C:\WINDOWS\SYSTEM32\xagwxzyr.exe (82944 bytes): W32/Spybot.BATF.

When this sample was tested at http://www.virustotal.com/ on Nov. 10^th, 2006, only three Anti-Virus vendors successfully detected this binary. Twenty days later, nine vendors now identify the binary. This goes a long way to confirm that relying on one AV product alone will not keep my nights free of nightmares. ;-)

Tying It All Together

Passive honeypots are unrivalled at the collection of binaries exploiting known vulnerabilities, but they often fall short when encountered with an unknown exploit. You can extend the functionality of your passive honeypots by configuring them to detect and report unusual traffic. This traffic can then be relayed to more advanced systems, such as active honeypots, or simply captured for manual analysis.

Helpful Reference:

• The Nepenthes Platform: An Efficient Approach to Collect Malware
  http://honeyblog.org/junkyard/paper/collecting-malware-final.pdf

Researcher: Patrick Comiotto, Websense Security Labs