Brian Allen (ballen at wustl.edu)
Network Security Analyst
Washington University in St. Louis

 A: Generally a computer that appears to be legitimate, but in reality is a trap for malware and hackers
 There should be no legit traffic to the honeypot, so any traffic it sees is immediately suspicious
 A darknet is similar, but on a much bigger scale, say an entire /24 subnet

 Low Interaction: This type runs virtual hosts and services. Collects info in logs. Example:
Honeyd
 Medium Interaction: Similar to LI, but will interact with the malware and download the binary for analysis. Ex: Nepenthes
 High Interaction: A honeypot or honeynet that will allow hackers to actually compromise it while the admin monitors his moves. Ex: Sebek

 Georg Wicherski originally wrote a tool called mwcollect while Paul Baecher and
Markus Koetter were working on
Nepenthes
 Mwcollect was merged into Nepenthes in
February 2006
 Nepenthes 0.2.0 was released on
November 13, 2006





Vulnerability Modules – emulates various services which look ripe for compromise to an attacker (lsass, dcom, veritas, dameware, etc)
Shellcode Handlers and Emulators – allows
Nepenthes to interact with the malware
Download Modules – will download the binary
(http, ftp, curl, etc)
Submission Modules – will submit the binary for analysis (Norman, CWSandbox, postgres, etc)

 # ./configure
 --prefix=/usr/local/nepenthes
 --enable-capabilities
 --with-cap-lib=/lib/libcap.so
 --enable-debug-logging
 --enable-pcap
 --with-pcap-lib=/usr/lib/libpcap.so
 # make; # make install

 To start Nepenthes on the command line:



/usr/local/nepenthes/bin/nepenthes -u nepenthes -g nepenthes -r
/usr/local/nepenthes -C &
u run as user “nepenthes”
g run as group “nepenthes”
 -r chroot to the /usr/local/nepenthes dir
 -C run as non-root, but keep kernel capabilities

















Nepenthes runs on a large number of TCP/IP ports:
# lsof -i -P | egrep nep | sort -t: -n -k 2,2 nepenthes 328 nepenthes 17u IPv4 71388 TCP *:21 (LISTEN) nepenthes 328 nepenthes 33u IPv4 71404 TCP *:42 (LISTEN) nepenthes 328 nepenthes 34u IPv4 71405 TCP *:80 (LISTEN) nepenthes 328 nepenthes 6u IPv4 71377 TCP *:110 (LISTEN) nepenthes 328 nepenthes 14u IPv4 71385 TCP *:135 (LISTEN) nepenthes 328 nepenthes 26u IPv4 71397 TCP *:139 (LISTEN) nepenthes 328 nepenthes 7u IPv4 71378 TCP *:143 (LISTEN) nepenthes 328 nepenthes 8u IPv4 71379 TCP *:220 (LISTEN) nepenthes 328 nepenthes 18u IPv4 71389 TCP *:443 (LISTEN) nepenthes 328 nepenthes 15u IPv4 71386 TCP *:445 (LISTEN) nepenthes 328 nepenthes 9u IPv4 71380 TCP *:465 (LISTEN) nepenthes 328 nepenthes 10u IPv4 71381 TCP *:993 (LISTEN) nepenthes 328 nepenthes 11u IPv4 71382 TCP *:995 (LISTEN)
…

 Then Nepenthes can't use it. For example if you are running a service on port 2745, then nepenthes can't load a module for that port. In this case vuln-bagle.conf listens on port 2745:
 [ crit net handler ] Could not Bind Socket to Port
2745
 Address already in use
 [ crit net handler ] ERROR Could not init Socket
Address already in use
 [ crit net mgr ] ERROR Binding :2745 failed

 Norman sandbox http://sandbox.norman.no/live_4.html
 CWSandbox http://luigi.informatik.unimannheim.de/submit.php?action=verify
(There is a – after uni)
 Virus total http://www.virustotal.com/en/indexf.html

 nepenthes-6a036697ebe5068ffbb3a4f3690fb606setup_83117.exe : W32/Malware (Signature:
NO_VIRUS)






[ General information ]
* Anti debug/emulation code present.
* **Locates window "Unreal3.2 Modded By LyR [class
NULL]" on desktop.
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 65963 bytes.
* MD5 hash: 6a036697ebe5068ffbb3a4f3690fb606.




[ Changes to filesystem ]
* Creates file C:\WINDOWS\smss.exe.
* Deletes file c:\sample.exe.







[ Changes to registry ]
* Creates key
"HKLM\Software\\Microsoft\\Windows".
* Sets value "h8d6v1d2n8d1"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows".
* Deletes value "h8d6v1d2n8d1" in key
"HKLM\Software\\Microsoft\\Windows".
* Sets value "u8l9n89x4u3"="3/6/2006, 1:20 PM" in key "HKLM\Software\\Microsoft\\Windows".
* Sets value "WaitToKillTimeout"="7000" in key
"HKLM\System\CurrentControlSet\Control".













[ Network services ]
* Looks for an Internet connection.
* Connects to "mail2.TIKTIKZ.COM" on port 9632 (TCP).
* Connects to IRC Server.
* IRC: Uses nickname [ ||106824802].
* IRC: Uses username XP-5094.
* Opens URL: http://www.proxy.us.pl/azenv.php
.
* Opens URL: http://www.nassc.com/pr.php
.
* Opens URL: http://69.59.137.236/cgi/prxjdg.cgi
.
* IRC: Sets the usermode for user [ ||106824802] to .
* IRC: Joins channel #oo# with password m00.
* Connects to "mail2.TIKTIKZ.COM" on port 7412 (TCP).

 [ Process/window information ]
 * Creates service "Windows NT Session
Managers (Windows NT Session Managers)" as
""C:\WINDOWS\smss.exe"".
 * Attempts to access service "Windows NT
Session Managers".
 * Creates a mutex h8d6v1d2n8d1.
 (C) 2004-2006 Norman ASA. All Rights
Reserved.

 Run Snort & Tcpdump with Nepenthes
 This will allow an admin to analyze more in depth what the attackers are trying to do to the machine in addition to what is stored in nepenthes logs

 HoneyTrap Module (Or set up Argus)
 What if malware tries to infect a computer on different port?
 The HoneyTrap Module will detect this and allow the malware to “talk” to this port even though it isn’t really open
 This is a new feature in version 0.2.0, and it is based on honeytrap.sf.net by Werner
Tillmann

 Collected 34 unique binaries
 Found 1728+ unique IP addresses which scanned the honeypot
 Found 101 different WUSTL IP addresses which scanned the honeypot

 Contact me

 - Paul Baecher ( nepenthesdev at users.sourceforge.net )
 - Markus Koetter ( nepenthesdev at users.sourceforge.net )
 - Georg Wicherski ( georg-wicherski at pixel-house.net )
 nepenthesdev at gmail.com

 http://nepenthes.mwcollect.org
–
Nepenthes Homepage
 http://sourceforge.net/projects/nepenthes

 "Medium Interaction Honeypots" by
Wicherski in April 2006 which includes a lot of information on Nepenthes http://www.pixel-house.net/midinthp.pdf

“Using Nepenthes Honeypots to Detect
Common Malware” by Jamie Riden in
November 2006 at SecurityFocus.com http://www.securityfocus.com/infocus/1880