< DIMVA'08 Slides | USENIX Security'08 >

Observing Malware Outbreaks with Honeypots

Low-interaction honeypots like Nepenthes or Amun are good at capturing autonomous spreading malware that propagates via exploiting vulnerabilities in network services: by emulating specific vulnerabilities, these honeypots trick malware into exploiting the honeypot and we can capture a copy of the malware.
These honeypots also allow us to observe outbreaks of new malware samples: since quite many people run Nepenthes or Amun nowadays and also send the samples to cwsandbox.org for automated malware analysis, we can correlate the submissions of many different sensors at a central location. For example, we received the malware sample with MD5 sum cb032b12af742555e60124f6d7d2d2ea from a total of 57 different sensor at the timestamps depicted below:


Timestamp               Filename

2008-01-10 19:36:25     grospolinacb032b12af742555e60124f6d7d2d2eauLa1AA

2008-01-10 22:11:47     nepenthescb032b12af742555e60124f6d7d2d2easBj96A

2008-01-11 00:03:32     nepenthescb032b12af742555e60124f6d7d2d2easm4aaA

2008-01-11 00:18:58     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-01-11 00:22:22     nepenthescb032b12af742555e60124f6d7d2d2eayK4gcQ

2008-01-11 00:22:56     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 00:34:36     nepenthescb032b12af742555e60124f6d7d2d2eaf92wA

2008-01-11 00:44:56     nepenthescb032b12af742555e60124f6d7d2d2eaBmLfOg

2008-01-11 00:45:09     nepenthescb032b12af742555e60124f6d7d2d2eagv4WoQ

2008-01-11 00:53:59     nepenthescb032b12af742555e60124f6d7d2d2eaOewZcA

2008-01-11 01:11:01     nepenthescb032b12af742555e60124f6d7d2d2eaQANtUA

2008-01-11 01:56:59     nepenthescb032b12af742555e60124f6d7d2d2eaeEtIA

2008-01-11 04:48:11     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-11 05:32:44     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 06:35:31     nepenthescb032b12af742555e60124f6d7d2d2eaf0fA

2008-01-11 08:21:13     nepenthescb032b12af742555e60124f6d7d2d2eaze0fA

2008-01-11 08:49:09     nepenthescb032b12af742555e60124f6d7d2d2eaSu4fA

2008-01-11 09:25:49     nepenthescb032b12af742555e60124f6d7d2d2eaanj2kA

2008-01-11 09:41:40     nepenthescb032b12af742555e60124f6d7d2d2eaJ8ZcA

2008-01-11 12:00:10     cb032b12af742555e60124f6d7d2d2ea

2008-01-11 13:42:14     nepenthescb032b12af742555e60124f6d7d2d2ea1E4a6A

2008-01-11 14:15:43     nepenthescb032b12af742555e60124f6d7d2d2eaSHkgA

2008-01-11 14:37:06     grospolinacb032b12af742555e60124f6d7d2d2eamKgfA

2008-01-11 14:38:37     nepenthescb032b12af742555e60124f6d7d2d2eabGhXGQ

2008-01-11 18:30:29     nepenthescb032b12af742555e60124f6d7d2d2eaMPofKg

2008-01-11 18:39:25     nepenthescb032b12af742555e60124f6d7d2d2eaGSGoWQ

2008-01-11 20:33:26     nepenthescb032b12af742555e60124f6d7d2d2eab0fA

2008-01-12 04:19:46     nepenthescb032b12af742555e60124f6d7d2d2eauJQiA

2008-01-12 12:12:12     nepenthescb032b12af742555e60124f6d7d2d2eaGDoqMQ

2008-01-12 14:32:15     nepenthescb032b12af742555e60124f6d7d2d2eaSIUgA

2008-01-13 20:37:45     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-14 17:38:54     nepenthescb032b12af742555e60124f6d7d2d2eaQ8fA

2008-01-14 22:26:54     grospolinacb032b12af742555e60124f6d7d2d2ea2rqiGw

2008-01-15 06:27:12     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-15 09:32:40     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-18 10:20:58     nepenthescb032b12af742555e60124f6d7d2d2eaKEuA

2008-01-19 02:10:38     nepenthescb032b12af742555e60124f6d7d2d2eagfofkA

2008-01-20 05:37:39     nepenthescb032b12af742555e60124f6d7d2d2eaxeoZcA

2008-01-25 09:43:36     nepenthescb032b12af742555e60124f6d7d2d2eaLvAfA

2008-01-29 15:36:08     nepenthescb032b12af742555e60124f6d7d2d2eaBxofsA

2008-01-29 20:47:39     nepenthescb032b12af742555e60124f6d7d2d2eaJ00A

2008-02-01 18:48:12     nepenthescb032b12af742555e60124f6d7d2d2eaEcoA

2008-02-02 12:24:22     nepenthescb032b12af742555e60124f6d7d2d2eawcUgLg

2008-02-02 19:35:56     cb032b12af742555e60124f6d7d2d2ea

2008-02-07 13:59:24     cb032b12af742555e60124f6d7d2d2ea.dat

2008-02-08 15:48:30     nepenthescb032b12af742555e60124f6d7d2d2eaGfoWA

2008-02-14 14:14:03     cb032b12af742555e60124f6d7d2d2eacb032b12af742555...2ea

2008-02-21 14:20:01     nepenthescb032b12af742555e60124f6d7d2d2eaWN0fA

2008-02-28 16:56:53     nepenthescb032b12af742555e60124f6d7d2d2eaoexA

2008-03-03 15:15:39     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-03-11 02:56:00     nepenthescb032b12af742555e60124f6d7d2d2eaAfA

2008-03-14 11:11:51     nepenthescb032b12af742555e60124f6d7d2d2eaJgfA

2008-03-15 17:31:37     nepenthescb032b12af742555e60124f6d7d2d2eaGGYnA

2008-03-20 10:55:43     nepenthescb032b12af742555e60124f6d7d2d2eacb032b1...2ea

2008-03-20 17:05:07     nepenthescb032b12af742555e60124f6d7d2d2eaoflA

2008-03-31 12:12:02     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-04-07 07:06:12     nepenthescb032b12af742555e60124f6d7d2d2eaxMUg3A

2008-04-08 02:37:22     cb032b12af742555e60124f6d7d2d2ea

Each timestamp depicts the first point in time where the specific sensor captured a copy of the malware. As you can see, the malware outbreak happened presumably at January 10, 2008. From then on, honeypot sensors all around the world captured a copy of this specific bot. The CWSandbox report contains more detailed information about the botnet, e.g.:
  • The bot creates a file named C:\WINDOWS\system32\explorer.exe, which is a copy of itself

  • It creates a run key for the Windows registry such that the bot is started again after a reboot

  • The C&C server is located at the IP address 67.43.232.36 and listens on the TCP port 8080

  • C&C channel is #wawa and the command issued by the botmaster at the time of analysis is: ipscan s.s.s dcom2 -f -s
This entry was posted by Thorsten Holz on Saturday, July 26. 2008 at 13:05. and is filed under honeynets, malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. katsumi says:
    #1 2008-07-27 15:38 (Reply)

    I found three of my honeypots reporting this binary, as you can verify via filename grospolina???????????????????????
    belfagor reported it at
    64816 Jan 17 2008 /opt/nepenthes/var/binaries/cb032b12af742555e60124f6d7d2d2ea
    however, thats a long time in the past,
    and content was deleted once.
    so i can't verify that it was first caught by moloch or baal, so i can't help.
    What's the idea behind?


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.