Amun-honeypot

  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Amun-honeypot as PDF for free.

More details

  • Words: 390
  • Pages: 5
Malware automated download by Amun honeypot Written by Muhammad Najmi Ahmad Zabidi najmi.zabidi [at] gmail.com Intro In this paper we try to properly document our series of experiments of using the Amun virtual honeypot. If it happens that you already play around with Nepenthes honeypot before, Amun sure is no alien to you. To cut short amun supports: 1. 2. 3. 4. 5.

non Microsoft Windows vulnerabilities application of iproute for virtual hosts malware downloads submission to sandboxes to CWSandbox and Anubis verbose logging

The reader may download the tarball from http://amunhoney.sourceforge.net. Extract the tarball afterwards in the userland.Written in Python, we can just simply invoke the startup script, amun_server.py . Apart from that, the Python module, python-psyco has to be install prior to make it work. Good to go: .::[Amun - Main] ready for evil orders: ::. .::[Amun - shellcode_manager] found bonn xor decoder (key: 182) ::. .::[Amun - shellcode_manager] found download URL: http://10.x.x.193:1408/ ::. .::[Amun - submit_md5] download (http://10.x.x.193:1408/): 11267aa26f2b91339d69ef8d29dda748 (size: 23040) - PNP ::. Given the honeypot successfully lured a binary, we can track back the alert from 

exploits.log:  2008-07-15 18:45:08,466 INFO exploit 10.x.x.193:4537 -> 10..x.x.139:445 (PNP Vulnerability: http://10.x.x.193:1408/)



submissions.log:  2008-07-15 18:45:08,576 INFO [submit_md5] download (http://10..x.x.193:1408/): 11267aa26f2b91339d69ef8d29dda748 (size: 23040) – PNP



successfull_downloads.log:  2008-07-15 18:45:08,572 INFO download (http://10..x.x.193:1408/): 11267aa26f2b91339d69ef8d29dda748 (size: 23040) 10..x.x.193:1408 – PNP

Later, we can view the md5 hashed binary in the folder named malware/ Result by AVG: 11267aa26f2b91339d69ef8d29dda748.bin

Trojan horse Generic3.ALN

root@nuvox:~/amun/malware/md5sum# clamscan * 11267aa26f2b91339d69ef8d29dda748.bin: Worm.Banwarum-11 FOUND 8e072862754ef6e80831d2fd50376b43.bin: Trojan.DsBot-15 FOUND ----------- SCAN SUMMARY ----------Known viruses: 352337 Engine version: 0.92.1 Scanned directories: 0 Scanned files: 2 Infected files: 2 Data scanned: 0.06 MB Time: 8.628 sec (0 m 8 s)

Creating graph with Afterglow “A picture worth of thousands packets” ... We can illustrate the log files fetched from the logs/ folder within the amun's working directory. Say now, given we have “exploit.log” file, simply use GNU Awk to filter out the unnecessary data so that we can have a three columns data, which is in Comma Separated Value (CSV) format. Say, in this format: source node, event, target node Which can be applied into; source IP, malware's name, target IP The process of graphiz data creation can be done by invoking afterglow.pl Perl script. cat filename.csv|./afterglow.pl -c color.properties -e 2 -p 3 > input.dot cat input.dot|circo -Tpng -o filename.png