Advertisment

Hunting in the Wild

author-image
PCQ Bureau
New Update

Apart from antivirus and updates, which form an integral part of the security

system, we also need something extra to protect our network and mission critical

servers from those deadly zero-day bot attacks. Remember those horrible days,

when worms and bots such as Welchia, Blaster and slammer attacked the Internet

and no patches, updates or antivirus were available to stop them. By the time

patches were made available and deployed, these worms had already affected

millions of machines. Such new worms and bots get created every day, and we must

keep an eye on the wild for such threats, and inform antivirus companies if some

unknown threat has attacked our network.

Advertisment

Direct Hit!

Applies To: Security admins and security

professionals



USP: Keep a check on wild


Primary Link: None


Google Keywords: Nepenthes, Norman Sandbox, Honeypot

There is a common notion that this might require huge setups and a lot of

investment; but, what if we tell you that for creating such a setup all you

require is a percentage of one of your server resources and nothing else! You

can create your own Honeypot for internal network or even for the Internet,

which can detect worms and bots without spending a single penny for the

software.



Here, in this article, we tell you how to set up such a Honeypot, and the whole
process might not take more than an hour of your precious time.

Basic Concept



We will deploy a Honeypot called Nepenthes, a specialized Honeypot for

trapping Windows-based bots and worms. It passively keeps an eye on the network

for any kind of suspicious bot-like activities as soon as it finds something

suspicious, it immediately downloads a copy of the binary at its own quarantine

zone, and sends a copy of the same to the Norman Web- based sandbox along with

your email id. Since, Nepenthes essentially runs on a Linux machine, so it

doesn't get infected by those bots.

Advertisment

Norman Sandbox is a Web-based sandbox and binary analysis system, where

anyone can upload any suspicious binary file. The Norman website instantly

inspects the binary and sends a report back to the person who has uploaded the

binary via email. When Nepenthes sends the binary to Norman Sandbox, you

automatically get an email with a complete report about the suspicious binary if

it is of a known bot or worm. But if the binaries have a signature of a new bot/worm,

then it is recommended that you submit the binary file either to some antivirus

service providers or to the sites such as Virus Total (www.virustotal.com),

which is used by about 20-odd antivirus vendors to get sample malicious

specimens.

When you place the Honeypot in

the LAN, it will detect and alert you about any malware attack

Scenarios for deploying Nepenthes



There are two basic scenarios for deploying Nepenthes:

Advertisment
  • One way is to place your Honeypot within the local network. It is the

    standard configuration which most of the people follow. Here, the Honeypot

    will only be able to keep an eye on the local network and will send alerts in

    case any bot-like activity is found in the local network.
  • Other scenario is when you place your Honeypot on the Internet. Such a

    setup is good if you want to find new threats and submit them to the antivirus

    solution providers for quick antidotes, etc. Here, you have to place the

    Honeypot either in a DMZ or you have to place it open on the Internet with a

    dedicated connectivity.

Deploying Nepenthes



There are two installation methods that one can use for deploying Nepenthes.

The first method is the traditional one, where you put up a standard Linux

machine (most likely a Debian box), download and install the Nepenthes binaries,

and then configure and run it.

Placing Nepenthes in the DMZ

will not only trap the malware attacking the network, but it will also

detect the attacks on the firewall
Advertisment

The easiest way is to download the preconfigured Ubuntu-based 'Nepenthes

Virtual Appliance' from http://tiny.cc /qGrpt.

After downloading this virtual appliance, you can run it on any machine that

runs VMWare Player or workstation. The machine should have at least 1 GB of RAM

and around 2 GB of free disk space. Once you have booted your machine with the

Nepenthes appliance, you have to provide the login to the terminal.

For this, the default username is 'sparca' and the password is 'secure'.

Advertisment

Login with these credentials and you will enter a command-line based Ubuntu

environment.

Configuring Nepenthes



You need to do certain configurations so that Nepenthes work properly.

First, go to the /etc/nepenthes folder and open the submit-norman.conf file by

running the following command:

Running Nepenthes is as simple

as starting the VMWare player and selecting the Ubuntu.VMX file from the

Ubuntu-Nepenthes folder
Advertisment





#sudo vi /etc/nepenthes/submit-norman.conf

This command will open the file in read/write mode with root privileges, and

will hence ask for a password. Provide the same password that you used earlier

to login. In the file that opens up, replace the quoted text by your own email

address in the code line Email

“your@email.domain
”.

Once you are through, reboot the app and your Honeypot is ready. Once it

reboots, run the dhcpclient command to get an IP from your network. You've to

run this command along with the sudo command.

#sudo dhcpclient

Now, go to the home folder of the 'sparca' user and you will see symlinked

folder called binaries. This is the place where Nepenthes deals with all the

suspicious binaries. The binaries are stored with their MD5 checkum values. And

if you want to brush up your virus detection skills, you can open up these

binaries in any hex editor and can see what exactly these bots do.

Advertisment