NETWORK DEFENSE Australian Information Security / Cyber Crime Research & News

30 days with Nepenthes

For a while I have needed to upgrade my home research lab environment. I have been running multiple Pentium 4 machines which is not effective in terms of the time spent setting up and deploying the systems, and also the large amount of power consumption.

So I decided to purchase a rack mount server and deploy VMware ESXi. I managed to pick up a Dell Poweredge 1950 1RU server for AU$900 with 2x Dual Core Xeon 5130's (2Ghz). To that I have added a further 8GB of DDR-2 ECC RAM, bringing the server up to 10GB in total.

Firstly, I must say WOW. ESXi and the vSphere Client has cut my deployment time down by such an amount that  the time it takes to deploy a system is negligible. Sure I spent a bit of time setting up my templates, and routing with Vyatta (I will expand on this topic in a later post). Overall the process has now gone from painful to painless.

Anyway enough of that, let's get back on topic. Now that my research environment had been upgraded I thought I would take it for a test run, deploying the Nepenthes honeypot for 30 days to see what kind of activity is captured. I will go into detail in a later post about my specific Nepenthes system configuration, but in short I run Debian Lenny 64bit (minimal) and use 'apt-get install nepenthes' to perform the install.  Always works like a charm.

The honeypot ran for 30 days in Eastern Australian IP space. Here is an excerpt from Andrew Waite of InfoSanity's submission2stats.py python script:

Statistics engine written by Andrew Waite - www.InfoSanity.co.uk
Number of submissions: 117
Number of unique samples: 34
Number of unique source IPs: 81
Days running: 30
Average daily submissions: 3

So as can be seen above, quite a bit of activity was captured. A breakdown of the number of malicious samples received per country is below:

Here is the data above represented in a Geo Map:

I was surprised with the country dispersion, I really didn't expect Japan to top the list.

The top five country's in order are:

1. Japan
2. Taiwan
3. Malaysia
4. India
5. Australia / Thailand

Next I needed to run the binaries that had been captured through a virus scanner to see what was there. BitDefender is nice and easy to install on Debian as follows:

sudo nano /etc/apt/sources.list

Add the line:

deb http://download.bitdefender.com/repos/deb/ bitdefender non-free

Then the following commands to download and import the key, update APT, and then install BitDefender;

sudo wget http://download.bitdefender.com/repos/deb/bd.key.asc
sudo apt-key add bd.key.asc
sudo apt-get update
sudo apt-get install bitdefender-scanner

The scan can then be run shell, the log will be placed in your Nepenthes log folder (/var/log/nepenthes):

sudo bdscan --log=/var/log/nepenthes/scan.txt /var/lib/nepenthes/binaries

BitDefender detected 32 of the 34 samples as infected. The two samples that were reported as 'OK'  by BitDefender were uploaded to Virus Total to identify their type:

Totals:
Number of submissions: 117
Number of unique samples: 34
Number of unique malware types: 11

Some interesting information has been captured over the past thirty days. Nepenthes is a great tool for capturing malware and associated attack information. Over coming weeks I will pick a sample from the malware captured during this run & perform basic analysis of the binary. I am very new to reverse engineering but as the saying goes "Nothing ventured, nothing gained."

I have started this blog to help document research, tools and techniques. I am currently studying information security and have found a lot of value in postings by others who are also walking the info sec learning path.

Next on the radar:

• HoneyD
• Honeywall
• Shelia - "a client-side honeypot for attack detection"
• SurfIDS

- Cooper