We all know how important it is to run a firewall; whether it be the default Windows firewall, third-party software, or a hardware firewall on your network gateway, you would be mad to connect to the Internet without at least one! The ‘survival time‘ is the amount of time an unprotected machine will last before it’s infected with malware-it’s shocking to see that this survival time is generally no more than 90 minutes! Almost all of these malware infections are the result of self-propagating worms and viruses spreading themselves around using known vulnerabilities.
I wanted to see for myself just how quickly a machine would be infected, how it would be infected, and how frequently it would be probed. Rather than putting a target machine openly on the Internet, I decided to use the Nepenthes malware collector. Nepenthes is a low interaction Honeypot, which emulates known vulnerabilities and captures worms as they attempt to infect it. While the way that Nepenthes operates means that it won’t detect attackers trying to exploit unknown vulnerabilities, it does allow us to detect new ways of exploiting known vulnerabilities.
For convenience, I chose to build my Honeypot on a virtual machine; if you have a spare machine hanging around, then you may prefer to use that.
First of all I grabbed a copy of the Debian-netinst image; this is only around 160MB. You could use the full Debian install disks but seeing as I’m not going to use X-windows it didn’t seem worth downloading the larger file. I won’t go over the basic installation and setup of Debian as the process is pretty self-explanatory.
Once the base install of Debian has finished, it would be a good idea to set a static IP address on the main network adaptor (eth0 in my case); to do this open up /etc/network/interfaces with nano:
# nano /etc/networking/interfaces
Change the line:
iface eth0 inet dhcp
iface eth0 inet static
Add the static IP information underneath that line:
Obviously you may want to adjust these to suit your own network; it’s worth double checking /etc/resolv.conf to see that the correct DNS server is in place. Make the changes live with:
# /etc/init.d/networking restart
# ifup eth0
Now make sure the system is up to date:
# apt-get update
# apt-get upgrade
Remove the exim4 MTU as this will stop the honeypot from listening on port 25:
# apt-get remove exim4
And install Nepenthes with its associated dependencies:
# apt-get install nepenthes
Once Nepenthes is installed there is actually very little configuration to be done to get things up and running. First of all, open up /etc/nepenthes/nepenthes.conf and see that the following lines are not commented out:
Also change replace_local_ips to 0.
Now check the configuration files above-they are all found in the /etc/nepenthes directory.
Inside submit-file.conf, you will find the path to a directory in your filesystem. This is where downloaded malware will be stored.
Norman sandbox is an automated malware analyser. Enter a valid e-mail address in submit-norman.conf; malware captured by your honeypot will be submitted to the Norman analyser and reports on the analysis will be sent to this address.
The file log-download.conf specifies the location of log files that will list downloaded malware and malware submissions.
Now restart Nepenthes with the updated configuration (the installation may have started it with the default config:
# /etc/init.d/nepenthes restart
The last step very much depends on the router/firewall in use. In my case, I’m using a Netgear ADSL router; this allows me to set a DMZ destination. The router then passes all incoming traffic to this address if there is no other rule defined for that particular port. If your router does not have a DMZ feature, you can manually redirect incoming connections on interesting ports to the Nepenthes collector.
I must say that I found it quite alarming how quickly Nepenthes has started to collect information about attempted break-ins and automated malware downloads! It’s very interesting to see the large number of entries for ‘Unknown DCOM Shellcode’. By far the most frequently seen piece of malware has been mssmpp.exe,which seems to be a derivative of the W32.IRCBot Trojan which has been hanging around since 2002; this Trojan will infect the host, which then becomes a member of a botnet. As previously discussed, these botnets are used for all sorts of underground activities, most frequently spamming, launching denial of service attacks, and online fraud.
Do you currently run any honeypots? I’d be interested to hear which software you have chosen to use and how you have deployed it.