Analyzing Malware at home – Introduction

Hello,

as can be guessed by the previous post Ab in die Cloud… (Reblogged) and Email Alerts for Amazon AWS Honeypots I set up a Honeypot “in the cloud” to get some malware. Until now dionaea  did catch 14 malware binaries.

Ever since I bought myself the Malware Analyst’s Cookbook as Kindle version I wanted to disect some malware and see how they work. But up until now I always found some excuse not to do it. Mainly I guess because I am not really into programming and dreaded the tough of being not able to Reverse Engineer any binaries with much success.

Luckily I was able to set up a Fireeye “Malware Protection System” trial. What it does is to extract Binaries (plain ones and compressed ones) from Data-streams and putting them into Virtual Machines to analyze what disk and registry changes they perform. If they behave malicious you get an alert and can see a log of all changes with the conspicuous ones being highlighted.

That gave me some ideas how to set this up myself on a VMware ESXi Server, some Virtual machines running Windows with Regmon, Diskmon and a Firewall to watch outgoing network traffic.

So my plan is to:

  • build a small “malware analysis laboratory”
  • analyze all binaries catched by dionaea
  • set up a malware section in this blog with a dedicated site for each binary that lists all findings I could make on it

I will accompany this with blogposts to show how I went about it and maybe get some interesting suggestions how to improve my methods.

In the next blogpost I will cover the configuration of the lab environment I am building up so stay tuned.

As always I appreciate any questions, comments and suggestions in the reply section below!

Regards
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in miscellaneous. Bookmark the permalink.

10 Responses to Analyzing Malware at home – Introduction

  1. shahrooz says:

    Dear Sebastian

    Hi,, I setup dionaea on my Vmware machine (Ubuntu) and I put it in DMZ, Now. I see thousands of attacks everyday, but my Binaraies directory is empty after 2 weeks running Dionaea.

    my SMB port 443 is blocked by the ISP!!!

    Do you know why my Binaries directory is empty?

    Thanks in advance

    Regards,
    Shahrooz

  2. SebastianB says:

    Hi shahrooz,

    i just checked my honeypot. I have been running dionaea for 7 months now and it collected 18 binaries and all of them came via SMB/TCP445.

    So I guess you wont collect much binaries with 445 blocked.

    Consider running a free dionaea in the amazon aws cloud:
    https://itunsecurity.wordpress.com/2013/03/14/243/
    https://itunsecurity.wordpress.com/2013/03/17/email-alerts-for-amazon-aws-honeypots-ubuntu-postfix/

    Regards
    Sebastian

  3. shahrooz says:

    Hi Sebastian,

    Thanks a million for your help.

    Is port 69 – TFTP operating on your Dionaea honeypot? I configured everything correctly, but It seems that Dionaea doesn’t represent port 69 on my honeypot !!!

    Regards,
    Shahrooz

    • SebastianB says:

      Hi,

      i just checked the config and it should listen for tftp. Also a “netstat -a” shows that it has bound to udp port 69.

      However a simple “tftp honeypot” and “put filename” gives me a timeout so i guess the tftp honeypot “listener/module” is not working properly or is not configured properly.

      However i have to confess that i never fully tested every part of dinaea as i only wanted to get my hands on binaries which i get plenty via smb…

      But i guess tftp is not that famous anyways (I could be wrong tough) but i would guess that you would have far more hits on regular ftp than tftp…

      Just a tought tough.
      I still suggest you run a free honeypot on amazon aws where you can listen on smb/tcp445 without restrictions…

      Regards
      Sebastian

  4. shahrooz says:

    Dear Sebastian,,

    Hi, I implemented Dionaea on VPS and it’s working perfectly. Thanks a million.
    What application is needed if I want to generate some statistics from Sqllog.sqllite file in my Dionaea server ? (I connect from Win7 to Ubuntu)

    Regards,
    Shahrooz

      • shahrooz says:

        Dear Sebastian

        Thanks a million for your helps.

        I faced a wired problem, My Dionaea is working correctly and it’s collecting the information in the log files, and Sandboxes are informing me about binary attacks, but my logsql.sqlite file is almost empty, some important tables such as “Connection” table is completely empty, but “dcerpcserviceops” table have some data.

        Have you faced a problem like this, or do you have any experience about this issue.

        Regards,
        Shahrooz

    • SebastianB says:

      Hi,

      to your question below (wordpress seems to only allow 1 tier of comment replies):

      Im have not run into any problems with the logsql.sqlite file myself. I havent tended much the the honeypot lately and its still running fine. My logsql.sqlite file is 36Mb by now…

      In your case I would do generic troubleshooting:

      1. Read logfiles
      2. Reproduce the error (connect to a honeypot service) and tail the logfiles in realtime to see if there are error messages regarding logging to the sqlite file.
      3. Based on logentries google for possible solutions if they do not directly point to the error/problem in configuration

      Also if you are stuck entirely sometimes its good to just start over:
      Set up a virtual machine and install dionaea again and see if you get the same result. If it works it might be easier to reinstall the entire thing or it serves as a good configuration comparison….

      Sorry i cant give you more detailed help on this!

      Regards
      Sebastian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s