Real-Time Static Malware Analysis using NepenthesFE

Visualizing your Honeypot Data

 Wasim Halani
◦ Security Analyst @ Network Intelligence India
(http://www.niiconsulting.com/)
◦ Interests
 Exploit development
 Malware Analysis
 Harsh Patel
◦ Student @ Symbiosis center for Information
technology.
◦ Interest
 Anything and everything about security

 A deliberately vulnerable system, placed on
the network
◦ Lure attackers towards itself
◦ Capture the malwares sent to the network/system
◦ Help in offline analysis
 Types
◦ Low Interaction
◦ High Interaction

 NepenthesFE is a front end to the low
interaction honeypot ‘nepenthes’

 Originally developed by Emre Bastuz

 Helps in cataloguing malware collected using
nepenthes

 Has modules which performs operations to
automate some aspects of malware analysis

 Our Nepenthes honeypot provided only
minimal data about the captured binaries
◦ File hash (MD5)
◦ Attacker IP
◦ File Name
◦ ...
 What next?
 Is that all the value a honeypot can provide?

 Lenny Zeltser
◦ ‘What to include in a Malware Analysis Report?’
 http://zeltser.com/reverse-malware/malware-analysis-report.html

 Summary of Analysis
 Identification
 Characteristics
 Dependencies
 Behavioral & Code Analysis
 Screenshots
 Recommendations

 Once we have captured the binary, we’re still
left with doing the routine basic stuff
◦ strings, file, virustotal, geo-ip ...

 Can’t we automate it!?

 Enter ‘NepenthesFE’
◦ Basic analysis like filetype, hashes, ASCII strings,
packer information, geographical information

Analyzing malware sample
‘b.aaa’

 Provide a statistical output of data collected
◦ How many times has ‘a’ malware hit us?

 Provide visualization of origin of malware
◦ Which malwares originate from a single country

 To determine and focus on the number of new
attacks on to the system

 Provide a framework to automate initial static
analysis
◦ Is it packed?
◦ Any recognizable ASCII strings in the binary

Real-Time Static Malware Analysis using NepenthesFE

 Integrate with the Nepenthes honeypot
◦ Integration with multiple sensors possible
 Statistical count of malware hits
 AfterGlow diagrams
◦ Country of Origin
◦ ASN
 Provide details of the attacking IP
◦ GEO IP database
◦ Google maps

 Can be extended with custom modules for
static malware analysis on real time
◦ Packer Information
◦ ‘Strings’

 Anti-virus scanning (for known malwares)

 Based on Sample (malware)
◦ VirusTotal Scanning
 API
◦ Bit defender scanning
◦ Unix based commands execution like File,
objdump, UPX and string
◦ *nix based custom script execution to find out
details like Packer Information, PE information
and entropy analyser

 Based on Instance (Information about the
attacker)
◦ GEO IP database
◦ ASN Information
 Mapping of ASN to Robtex
 Mapping of ASN to Phishtank
 Visualization of attack vectors from a ASN
number
◦ Visualisation of attack vectors from a IP address

 Install Nepenthes Honeypot sensor
 http://nepenthes.carnivore.it/
 Refer to our first report at IHP
 http://www.honeynet.org.in/reports/KK_Project1.pdf

 List of packages are :-
◦ Build essentials
◦ Apache2
◦ Libapache2-mod-php5
◦ phppear
◦ Mysql-server-5.1
◦ Php5-msql
◦ Php5-mhash
◦ Php5-dev
◦ Upx-ucl
◦ File

 List of packages are :-
◦ geoip-bin
◦ rrdtool (for Graphs)
◦ Librrd2 (for Graphs)
◦ Librrd2-dev (for Graphs)
◦ Python-pefile (for Pefile module)
◦ Python-all (for Pefile module)
◦ Bitdefender-scanner (for bit-defender
scanning)
◦ graphviz (for visualization)

And Lots of Configuration....

 Modify the ‘submit-http.conf’ file in
/etc/nepenthes

 Download the freely available database from
MaxMind
◦ http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

 Get the Google API Key
 http://code.google.com/apis/maps/signup.html

 PEFile
◦ http://code.google.com/p/pefile/
 Packerid.py
◦ Requires ‘peid’ database (signatures)
◦ http://handlers.dshield.org/jclausing/
 UPX
◦ http://upx.sourceforge.net/
 ‘file’ : apt-get install file
 ‘strings’
 ‘obj-jump’
 These executeables (chmod +x) should be accessible to
NFE
◦ Place them in /usr/bin/ folder if needed

Analysis Report Nepenthes Nepenthes + FE

File name Yes Yes

Unique Identification – MD5,SHA512 MD5, SHA512, (possibly ssdeep)
Hashes
Malware Name (Family) No VirusTotal, Bitdefender (free Linux
AV scanners)
Binary File Type No ‘file’

Malware Origin IP address Geo-location data

Screenshots None GoogleMaps, AfterGlow graphs,
Robtex graphs
Is it packed? Which No packerid.py, UPX
Packer?
Statistics No Yes (hit counts,RRD graphs)

 Analyzing malware sample‘b.aaa’

 Works only with Nepenthes honeypot 

 No search functionality

 VirusTotal functionality is broken (new API
released by VT recently)

 Report cannot be exported

 Open-source
◦ Requires volunteers
◦ Current version – 0.04 (Releasing v0.05 today)
 Complete documentation available at:
◦ http://www.niiconsulting.com/nepenthesfe/
 Implementation of a central NepenthesFE for
multiple Nepenthes sensors
◦ As part of the Indian Honeynet Project (IHP)
 http://honeynet.org.in/
 Submit the malware to a sandbox environment to
retrieve more in-depth analysis

wasimhalani@gmail.com
har.duro@gmail.com

Real-Time Static Malware Analysis using NepenthesFE

More Related Content

What's hot (20)

Similar to Real-Time Static Malware Analysis using NepenthesFE (20)

Recently uploaded (20)

Real-Time Static Malware Analysis using NepenthesFE