malcon nepenthefe v1.0 final
TRANSCRIPT
-
8/2/2019 Malcon NepentheFE v1.0 Final
1/35
Visualizing your Honeypot Data
-
8/2/2019 Malcon NepentheFE v1.0 Final
2/35
Wasim Halani Security Analyst @ Network Intelligence India
(http://www.niiconsulting.com/)
Interests
Exploit development
Malware Analysis
Harsh Patel Student @ Symbiosis center for Information
technology.
Interest Anything and everything about security
-
8/2/2019 Malcon NepentheFE v1.0 Final
3/35
A deliberately vulnerable system, placed onthe network Lure attackers towards itself
Capture the malwares sent to the network/system
Help in offline analysis
Types Low Interaction
High Interaction
-
8/2/2019 Malcon NepentheFE v1.0 Final
4/35
NepenthesFE is a front end to the lowinteraction honeypot nepenthes
Originally developed by Emre Bastuz
Helps in cataloguing malware collected usingnepenthes
Has modules which performs operations toautomate some aspects of malware analysis
-
8/2/2019 Malcon NepentheFE v1.0 Final
5/35
Our Nepenthes honeypot provided onlyminimal data about the captured binaries File hash (MD5)
Attacker IP File Name
...
What next?
Is that all the value a honeypot can provide?
-
8/2/2019 Malcon NepentheFE v1.0 Final
6/35
Lenny Zeltser What to include in a Malware Analysis Report?
http://zeltser.com/reverse-malware/malware-analysis-report.html
Summary of Analysis
Identification Characteristics
Dependencies
Behavioral & Code Analysis Screenshots
Recommendations
http://zeltser.com/reverse-malware/malware-analysis-report.htmlhttp://zeltser.com/reverse-malware/malware-analysis-report.html -
8/2/2019 Malcon NepentheFE v1.0 Final
7/35
Once we have captured the binary, were stillleft with doing the routine basic stuff strings, file, virustotal, geo-ip ...
Cant we automate it!?
Enter NepenthesFE
Basic analysis like filetype, hashes, ASCII strings,packer information, geographical information
-
8/2/2019 Malcon NepentheFE v1.0 Final
8/35
Analyzing malware sampleb.aaa
-
8/2/2019 Malcon NepentheFE v1.0 Final
9/35
Provide a statistical output of data collected How many times has a malware hit us?
Provide visualization of origin of malware Which malwares originate from a single country
To determine and focus on the number of newattacks on to the system
Provide a framework to automate initial static
analysis Is it packed? Any recognizable ASCII strings in the binary
-
8/2/2019 Malcon NepentheFE v1.0 Final
10/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
11/35
Integrate with the Nepenthes honeypot Integration with multiple sensors possible
Statistical count of malware hits
AfterGlow diagrams Country of Origin
ASN
Provide details of the attacking IP
GEO IP database Google maps
-
8/2/2019 Malcon NepentheFE v1.0 Final
12/35
Can be extended with custom modules forstatic malware analysis on real time Packer Information
Strings
Anti-virus scanning (for known malwares)
-
8/2/2019 Malcon NepentheFE v1.0 Final
13/35
Based on Sample (malware) VirusTotal Scanning
API
Bit defender scanning
Unix based commands execution like File,objdump, UPX and string
*nix based custom script execution to find outdetails like Packer Information, PE information
and entropy analyser
-
8/2/2019 Malcon NepentheFE v1.0 Final
14/35
Based on Instance (Information about theattacker) GEO IP database
ASN Information
Mapping of ASN to Robtex
Mapping of ASN to Phishtank
Visualization of attack vectors from a ASNnumber
Visualisation of attack vectors from a IP address
-
8/2/2019 Malcon NepentheFE v1.0 Final
15/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
16/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
17/35
Install Nepenthes Honeypot sensor http://nepenthes.carnivore.it/
Refer to our first report at IHP http://www.honeynet.org.in/reports/KK_Project1.pdf
http://nepenthes.carnivore.it/http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://nepenthes.carnivore.it/ -
8/2/2019 Malcon NepentheFE v1.0 Final
18/35
List of packages are :- Build essentials
Apache2
Libapache2-mod-php5
phppear Mysql-server-5.1
Php5-msql
Php5-mhash
Php5-dev Upx-ucl
File
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf -
8/2/2019 Malcon NepentheFE v1.0 Final
19/35
List of packages are :- geoip-bin rrdtool (for Graphs) Librrd2 (for Graphs)
Librrd2-dev (for Graphs) Python-pefile (for Pefile module) Python-all (for Pefile module) Bitdefender-scanner (for bit-defender
scanning)
graphviz (for visualization)
And Lots of Configuration....
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf -
8/2/2019 Malcon NepentheFE v1.0 Final
20/35
Modify the submit-http.conf file in/etc/nepenthes
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf -
8/2/2019 Malcon NepentheFE v1.0 Final
21/35
Download the freely available database fromMaxMind http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdf -
8/2/2019 Malcon NepentheFE v1.0 Final
22/35
Get the Google API Key
http://code.google.com/apis/maps/signup.html
http://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://www.honeynet.org.in/reports/KK_Project1.pdfhttp://code.google.com/apis/maps/signup.htmlhttp://code.google.com/apis/maps/signup.html -
8/2/2019 Malcon NepentheFE v1.0 Final
23/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
24/35
PEFile http://code.google.com/p/pefile/
Packerid.py Requires peid database (signatures) http://handlers.dshield.org/jclausing/
UPX http://upx.sourceforge.net/
file : apt-get install file
strings
obj-jump
These executeables (chmod +x) should be accessible toNFE Place them in /usr/bin/ folder if needed
http://code.google.com/apis/maps/signup.htmlhttp://code.google.com/apis/maps/signup.htmlhttp://code.google.com/apis/maps/signup.htmlhttp://code.google.com/p/pefile/http://handlers.dshield.org/jclausing/http://upx.sourceforge.net/http://upx.sourceforge.net/http://handlers.dshield.org/jclausing/http://code.google.com/p/pefile/ -
8/2/2019 Malcon NepentheFE v1.0 Final
25/35
Analysis Report Nepenthes Nepenthes + FE
File name Yes Yes
Unique Identification Hashes
MD5,SHA512 MD5, SHA512, (possibly ssdeep)
Malware Name (Family) No VirusTotal, Bitdefender (free Linux
AV scanners)Binary File Type No file
Malware Origin IP address Geo-location data
Screenshots None GoogleMaps, AfterGlow graphs,Robtex graphs
Is it packed? WhichPacker?
No packerid.py, UPX
Statistics No Yes (hit counts,RRD graphs)
-
8/2/2019 Malcon NepentheFE v1.0 Final
26/35
Analyzing malware sampleb.aaa
-
8/2/2019 Malcon NepentheFE v1.0 Final
27/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
28/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
29/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
30/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
31/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
32/35
Works only with Nepenthes honeypot
No search functionality
VirusTotal functionality is broken (new APIreleased by VT recently)
Report cannot be exported
-
8/2/2019 Malcon NepentheFE v1.0 Final
33/35
Open-source Requires volunteers
Current version 0.04 (Releasing v0.05 today)
Complete documentation available at:
http://www.niiconsulting.com/nepenthesfe/ Implementation of a central NepenthesFE for
multiple Nepenthes sensors As part of the Indian Honeynet Project (IHP)
http://honeynet.org.in/ Submit the malware to a sandbox environment to
retrieve more in-depth analysis
http://www.niiconsulting.com/nepenthesfe/http://honeynet.org.in/http://honeynet.org.in/http://www.niiconsulting.com/nepenthesfe/ -
8/2/2019 Malcon NepentheFE v1.0 Final
34/35
-
8/2/2019 Malcon NepentheFE v1.0 Final
35/35
[email protected]@gmail.com
mailto:[email protected]:[email protected]:[email protected]:[email protected]