|
Hunting in the Wild
There is a common myth that catching zero-day bots in the wild requires complex setups and lots of investment. We tell you an economic way of catching bots and worms-use Nepenthes-a honeypot
Anindya Roy
Friday, February 01, 2008
Apart from antivirus and updates, which form an integral part of the security
system, we also need something extra to protect our network and mission critical
servers from those deadly zero-day bot attacks. Remember those horrible days,
when worms and bots such as Welchia, Blaster and slammer attacked the Internet
and no patches, updates or antivirus were available to stop them. By the time
patches were made available and deployed, these worms had already affected
millions of machines. Such new worms and bots get created every day, and we must
keep an eye on the wild for such threats, and inform antivirus companies if some
unknown threat has attacked our network.
|
Direct Hit! |
Applies To: Security admins and security
professionals
USP: Keep a check on wild
Primary Link: None
Google Keywords: Nepenthes, Norman Sandbox, Honeypot |
There is a common notion that this might require huge setups and a lot of
investment; but, what if we tell you that for creating such a setup all you
require is a percentage of one of your server resources and nothing else! You
can create your own Honeypot for internal network or even for the Internet,
which can detect worms and bots without spending a single penny for the
software.
Here, in this article, we tell you how to set up such a Honeypot, and the whole
process might not take more than an hour of your precious time.
Basic Concept
We will deploy a Honeypot called Nepenthes, a specialized Honeypot for
trapping Windows-based bots and worms. It passively keeps an eye on the network
for any kind of suspicious bot-like activities as soon as it finds something
suspicious, it immediately downloads a copy of the binary at its own quarantine
zone, and sends a copy of the same to the Norman Web- based sandbox along with
your email id. Since, Nepenthes essentially runs on a Linux machine, so it
doesn't get infected by those bots.
Norman Sandbox is a Web-based sandbox and binary analysis system, where
anyone can upload any suspicious binary file. The Norman website instantly
inspects the binary and sends a report back to the person who has uploaded the
binary via email. When Nepenthes sends the binary to Norman Sandbox, you
automatically get an email with a complete report about the suspicious binary if
it is of a known bot or worm. But if the binaries have a signature of a new bot/worm,
then it is recommended that you submit the binary file either to some antivirus
service providers or to the sites such as Virus Total (www.virustotal.com),
which is used by about 20-odd antivirus vendors to get sample malicious
specimens.
 |
| When you place the Honeypot in
the LAN, it will detect and alert you about any malware attack |
Scenarios for deploying Nepenthes
There are two basic scenarios for deploying Nepenthes:
- One way is to place your Honeypot within the local network. It is the
standard configuration which most of the people follow. Here, the Honeypot
will only be able to keep an eye on the local network and will send alerts in
case any bot-like activity is found in the local network.
- Other scenario is when you place your Honeypot on the Internet. Such a
setup is good if you want to find new threats and submit them to the antivirus
solution providers for quick antidotes, etc. Here, you have to place the
Honeypot either in a DMZ or you have to place it open on the Internet with a
dedicated connectivity.
Deploying Nepenthes
There are two installation methods that one can use for deploying Nepenthes.
The first method is the traditional one, where you put up a standard Linux
machine (most likely a Debian box), download and install the Nepenthes binaries,
and then configure and run it.
 |
| Placing Nepenthes in the DMZ
will not only trap the malware attacking the network, but it will also
detect the attacks on the firewall |
The easiest way is to download the preconfigured Ubuntu-based 'Nepenthes
Virtual Appliance' from http://tiny.cc /qGrpt.
After downloading this virtual appliance, you can run it on any machine that
runs VMWare Player or workstation. The machine should have at least 1 GB of RAM
and around 2 GB of free disk space. Once you have booted your machine with the
Nepenthes appliance, you have to provide the login to the terminal.
For this, the default username is 'sparca' and the password is 'secure'.
Login with these credentials and you will enter a command-line based Ubuntu
environment.
Configuring Nepenthes
You need to do certain configurations so that Nepenthes work properly.
First, go to the /etc/nepenthes folder and open the submit-norman.conf file by
running the following command:
 |
| Running Nepenthes is as simple
as starting the VMWare player and selecting the Ubuntu.VMX file from the
Ubuntu-Nepenthes folder |
#sudo vi /etc/nepenthes/submit-norman.conf
This command will open the file in read/write mode with root privileges, and
will hence ask for a password. Provide the same password that you used earlier
to login. In the file that opens up, replace the quoted text by your own email
address in the code line Email
“your@email.domain”.
Once you are through, reboot the app and your Honeypot is ready. Once it
reboots, run the dhcpclient command to get an IP from your network. You've to
run this command along with the sudo command.
#sudo dhcpclient
Now, go to the home folder of the 'sparca' user and you will see symlinked
folder called binaries. This is the place where Nepenthes deals with all the
suspicious binaries. The binaries are stored with their MD5 checkum values. And
if you want to brush up your virus detection skills, you can open up these
binaries in any hex editor and can see what exactly these bots do.
Page(s) 1
|
