Scribd
Upload
803 views5 pages

Amun Honeypot Malware Download Analysis

The document summarizes experiments using the Amun honeypot to automatically download malware. The honeypot was able to successfully lure and download a binary from an IP address exploiting a PNP vulnerability. Logs show the exploit, submission of the binary's MD5 hash, and successful download. Antivirus software identified the binary as the Worm.Banwarum-11 and Trojan.DsBot-15 viruses. Network activity was visualized in a graph generated from the honeypot's log files using Afterglow and Circo.

Uploaded by

najmizabidi
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
803 views5 pages

Amun Honeypot Malware Download Analysis

The document summarizes experiments using the Amun honeypot to automatically download malware. The honeypot was able to successfully lure and download a binary from an IP address exploiting a PNP vulnerability. Logs show the exploit, submission of the binary's MD5 hash, and successful download. Antivirus software identified the binary as the Worm.Banwarum-11 and Trojan.DsBot-15 viruses. Network activity was visualized in a graph generated from the honeypot's log files using Afterglow and Circo.

Uploaded by

najmizabidi
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Malware automated download by Amun honeypot

Written by Muhammad Najmi Ahmad Zabidi

[Link] [at] [Link]

Intro
In this paper we try to properly document our series of experiments of using the Amun virtual honeypot. If it happens that you already play
around with Nepenthes honeypot before, Amun sure is no alien to you. To cut short amun supports:

1. non Microsoft Windows vulnerabilities


2. application of iproute for virtual hosts
3. malware downloads
4. submission to sandboxes to CWSandbox and Anubis
5. verbose logging

The reader may download the tarball from [Link] Extract the tarball afterwards in the [Link] in Python,
we can just simply invoke the startup script, amun_server.py . Apart from that, the Python module, python-psyco has to be install prior to
make it work.

Good to go:

.::[Amun - Main] ready for evil orders: ::.


.::[Amun - shellcode_manager] found bonn xor decoder (key: 182) ::.
.::[Amun - shellcode_manager] found download URL: [Link] ::.
.::[Amun - submit_md5] download ([Link] 11267aa26f2b91339d69ef8d29dda748
(size: 23040) - PNP ::.

Given the honeypot successfully lured a binary, we can track back the alert from

 [Link]:
 2008-07-15 [Link],466 INFO exploit 10.x.x.193:4537 -> 10..x.x.139:445 (PNP Vulnerability: [Link]
 [Link]:
 2008-07-15 [Link],576 INFO [submit_md5] download ([Link] 11267aa26f2b91339d69ef8d29dda748 (size:
23040) – PNP

 successfull_downloads.log:
 2008-07-15 [Link],572 INFO download ([Link] 11267aa26f2b91339d69ef8d29dda748 (size: 23040) -
10..x.x.193:1408 – PNP

Later, we can view the md5 hashed binary in the folder named malware/

Result by AVG:
[Link] Trojan horse [Link]

root@nuvox:~/amun/malware/md5sum# clamscan *
[Link]: [Link]-11 FOUND
[Link]: [Link]-15 FOUND

----------- SCAN SUMMARY -----------


Known viruses: 352337
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 2
Infected files: 2
Data scanned: 0.06 MB
Time: 8.628 sec (0 m 8 s)
Creating graph with Afterglow
“A picture worth of thousands packets” ...

We can illustrate the log files fetched from the logs/ folder within the amun's working directory. Say now, given we have “[Link]” file,
simply use GNU Awk to filter out the unnecessary data so that we can have a three columns data, which is in Comma Separated Value (CSV)
format. Say, in this format:
source node, event, target node
Which can be applied into;
source IP, malware's name, target IP

The process of graphiz data creation can be done by invoking [Link] Perl script.

cat [Link]|./[Link] -c [Link] -e 2 -p 3 > [Link]

cat [Link]|circo -Tpng -o [Link]

You might also like