Malware automated download by Amun honeypot Written by Muhammad Najmi Ahmad Zabidi najmi.zabidi [at] gmail.com Intro In this paper we try to properly document our series of experiments of using the Amun virtual honeypot. If it happens that you already play around with Nepenthes honeypot before, Amun sure is no alien to you. To cut short amun supports: 1. 2. 3. 4. 5.
non Microsoft Windows vulnerabilities application of iproute for virtual hosts malware downloads submission to sandboxes to CWSandbox and Anubis verbose logging
The reader may download the tarball from http://amunhoney.sourceforge.net. Extract the tarball afterwards in the userland.Written in Python, we can just simply invoke the startup script, amun_server.py . Apart from that, the Python module, python-psyco has to be install prior to make it work. Good to go: .::[Amun - Main] ready for evil orders: ::. .::[Amun - shellcode_manager] found bonn xor decoder (key: 182) ::. .::[Amun - shellcode_manager] found download URL: http://10.x.x.193:1408/ ::. .::[Amun - submit_md5] download (http://10.x.x.193:1408/): 11267aa26f2b91339d69ef8d29dda748 (size: 23040) - PNP ::. Given the honeypot successfully lured a binary, we can track back the alert from
exploits.log: 2008-07-15 18:45:08,466 INFO exploit 10.x.x.193:4537 -> 10..x.x.139:445 (PNP Vulnerability: http://10.x.x.193:1408/)
submissions.log: 2008-07-15 18:45:08,576 INFO [submit_md5] download (http://10..x.x.193:1408/): 11267aa26f2b91339d69ef8d29dda748 (size: 23040) – PNP
successfull_downloads.log: 2008-07-15 18:45:08,572 INFO download (http://10..x.x.193:1408/): 11267aa26f2b91339d69ef8d29dda748 (size: 23040) 10..x.x.193:1408 – PNP
Later, we can view the md5 hashed binary in the folder named malware/ Result by AVG: 11267aa26f2b91339d69ef8d29dda748.bin
Trojan horse Generic3.ALN
root@nuvox:~/amun/malware/md5sum# clamscan * 11267aa26f2b91339d69ef8d29dda748.bin: Worm.Banwarum-11 FOUND 8e072862754ef6e80831d2fd50376b43.bin: Trojan.DsBot-15 FOUND ----------- SCAN SUMMARY ----------Known viruses: 352337 Engine version: 0.92.1 Scanned directories: 0 Scanned files: 2 Infected files: 2 Data scanned: 0.06 MB Time: 8.628 sec (0 m 8 s)
Creating graph with Afterglow “A picture worth of thousands packets” ... We can illustrate the log files fetched from the logs/ folder within the amun's working directory. Say now, given we have “exploit.log” file, simply use GNU Awk to filter out the unnecessary data so that we can have a three columns data, which is in Comma Separated Value (CSV) format. Say, in this format: source node, event, target node Which can be applied into; source IP, malware's name, target IP The process of graphiz data creation can be done by invoking afterglow.pl Perl script. cat filename.csv|./afterglow.pl -c color.properties -e 2 -p 3 > input.dot cat input.dot|circo -Tpng -o filename.png