Upload File

rémi chipaux, @futex90 · one honeypot is small but more, can be hard to follow linux malware is...

  • Home
  • Documents
  • Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated
23
Rémi Chipaux, @futex90

Upload: others

Post on 25-Sep-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Rémi Chipaux, @futex90

Page 2: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Security consultant at itrust consulting

(itrust.lu/malware.lu)

Malware analyst

Penetration tester

CTF player

Zythologue

Page 3: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Soriz hi’m franch

Page 4: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

For fun and curiosity

Understand what attackers are doing

Following the attacks

Find new stuff

Page 5: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

A RaspberryPI

Cowrie SSH/Telnet Honeypots

Capture commands and malwares

Page 6: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated
Page 7: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated
Page 8: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

One honeypot is small

But more, can be hard to follow

Linux malware is easy to reverse

(become boring)

A lot of malware to analyse, so it must be

automated

Page 9: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Reverse engineering framework

x86, amd64, arm, mips, *.*

Exploits

Malware analysis

Run on Windows, Linux, Mac

Scripts in python (r2pipe module)

Page 10: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

XorDDOS encrypt is c&c address with a

hardcoded xor key

Page 11: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated
Page 12: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

You have to deal with @BotFather

Send /newbot command, you will

receive a token

Page 13: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Easy to install

Easy to develop plugins in python3

Supports a lot of chat protocols

› Telegram

› IRC

› HipChat

› Slack

› XMPP

› Gitter …

Page 14: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

sudo pip3 install errbot && pip3 install

python-telegram-bot && errbot --init

Config file config.py

BACKEND = 'Telegram‘

ID = ‘BOT_ID’

BOT_DATA_DIR = r'/home/futex/errbot/data'

BOT_EXTRA_PLUGIN_DIR = '/home/futex/errbot/plugins'

BOT_LOG_FILE = r'/home/futex/errbot/errbot.log'

BOT_LOG_LEVEL = logging.DEBUG

BOT_ADMINS = (‘MY_TELEGRAM_ID’, )

BOT_IDENTITY = {

'token': ID,

}

BOT_PREFIX = "/"

Page 15: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Each new sample is notified by the bot

Dowloaded through tor

Automatically uploaded to VirusTotal

and linux.huntingmalware.com

Page 16: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

https://futex.re/tracker/index.php

IOC are exported in JSON and CSV

format

https://futex.re/tracker/index.php
Page 17: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Malware plugin can identify and reverse

some samples

Easy to add new malwares supported

Page 18: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Unpack plugin can extract the sample

Easy to add new packer supported (but

can be hard to code and detect …)

Page 19: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Command Description

/malware Extract malware configuration

/unpack Unpack the sample

/yara Yara check

/shodan Shodan search

/ip Give informations about the IP

/vt Return virustotal results

/urlquery Urlquery search

/gse_find Google custom engine search

/unshorten Unshorten a URL

Page 20: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Download directly from the chat room

More supported packers and malware

Autoreversing through a Windows VM

Integrating into a SIEM?

Sharing samples to MISP

Page 21: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated
Page 22: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

Thanks to Maxime Morin @maijin and

radare errbot cowrie dev teams

And you

Page 23: Rémi Chipaux, @futex90 · One honeypot is small But more, can be hard to follow Linux malware is easy to reverse (become boring) A lot of malware to analyse, so it must be automated

https://github.com/micheloosterhof/cowrie

https://github.com/errbotio/errbot

https://github.com/radare/radare2

https://github.com/radareorg/cutter

https://github.com/micheloosterhof/cowrie
https://github.com/micheloosterhof/cowrie
https://github.com/errbotio/errbot
https://github.com/errbotio/errbot
https://github.com/radare/radare2
https://github.com/radare/radare2
https://github.com/radareorg/cutter
https://github.com/radareorg/cutter
https://github.com/radareorg/cutter

Intrusion Detection and Malware Analysis - Malware collection...Honeypot taxonomy Low-interaction:simple daemons simulating network services; no exploitation. ... browser exploits

UNIVERSITAS GUNADARMA PROGRAM STUDI TEKNIK …sap.gunadarma.ac.id/upload/IT-045234.pdf · 1. Tujuan analisa Malware 2. Honeypot 3. Dissambler - Bentuk : Kuliah - Metode : Ceramah,

HONEYPOT COTTAGE - media.rightmove.co.uk

Honeypot-based Forensics

3.3. Database honeypot

2001-Honeypot-Newsletter-16ppA5-FINAL · Honeypot Heroes Page 6-7 Honeypot House, Hampshire – Learning breaks and more! Page 8-9 Honeypot Pen y Bryn – The buzz! Page 10 Volunteering

Honeypot چیست

Honeypot on Android

what is honeypot

Countering mobile malware in CSP’s network. Android honeypot as anti-fraud solution

nz honeypot project

A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Honeypot cupcakes

Honeypot ppt1

Honeypot and Steganography

Honeypot Main

Honeypot ss

u05 Honeypot

An Advanced Hybrid Honeypot for Providing Effective ...jecei.sru.ac.ir/article_1185_a4a5f543dcc7056104c70245431f7383.pdf · “honeypot”, honeypot is a security resource that its

Honeypot seminar report

Rémi quirion

himani gaur honeypot

The Honeypot Project

Computerized Honeypot

Intrusion Detection using Honeypot and Support Vector ...ethesis.nitrkl.ac.in/7997/1/672.pdf · Intrusion Detection using Honeypot and Support Vector ... using Honeypot and Support

Tartarus: A honeypot based malware tracking and mitigation ... · malicious entities. Detection and defence from these malicious entities has primarily been the concern of Intrusion

one childhood, one journey Honeypot House The Honeypot Playbus

Lea Honeypot

Trabajo Final Honeypot

Honeypot Rajranjan Dash

Honeypot Basics

Honeypot Road

Honeypot Report

Rémi Geffroy

Alla ricerca del malware perduto: progettazione e realizzazione di una Virtual Honeypot distribuita