Capturing Malware with Honeypot on Unifi Network

After almost 1 day of operation to monitor my Unifi network, here I would like to share some statistics and information on my malware honeypot.

What is Unifi:

Unifi adalah high speed broadband service from TMNET. Boleh di-consider-kan Unifi is one of the fastest public network di Malaysia. Dengan kelajuan yang ada, pastinya ia akan menarik minat ramai internet abuser. Dengan motif untuk melihat apakah misused activities yang berlaku didalam network Unifi itu sendiri, I have run Dionaea to detect and capture malware. Attacker or infected machine could come from any country –> Unifi network.

My 10mb Unifi dynamic IP address & gateway information:

IP Address :
 110.159.151.7x
Subnet Mask :
 255.255.255.255
Default Gateway :
 110.159.151.76
DNS :
 202.188.0.133 202.188.1.5

What is Dionaea?

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.

Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.

One of captured activity on samba:

From the URL on the screenshot; I have sent the URL to virustotal and seem it has been blocked by few anti virus 3 weeks ago. So basically this is not a new threat.

On the malware analysis from GFI Sanbox, they have conclude that g.exe program as a worm.

From the captured malware the MD5 hashes is ee94b06c5edc3f9e75a26c0108d08b55 and virustotal.com  has listed and identified this malware as a WORM too:

Full URL: https://www.virustotal.com/file/e311babb0755d92168a9501b9c0ec3ada533b8c5d2d3a345bcf00608eaf103ad/analysis/

Statistics from the log file: Statistics engine written by Andrew Waite – http://www.infosanity.co.uk

Number of submissions: 4
Number of unique samples: 1
Number of unique source IPs: 1

First sample seen: 2012-09-19 15:36:17.534004
Last sample seen: 2012-09-19 23:04:21.389548
System Uptime: 7:28:03.855544

Most recent submissions:
2012-09-19 23:04:21.389548, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 21:34:26.923448, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 20:46:47.013040, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 15:36:17.534004, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55

As for now I will keep my honeypot running to capture more malware activity and keep posting information on this.

A new computer lab and my portable LCD stand.

It has been in awhile, now about time to get a new lab and environment, as for temporary this is how my computer lab look like.

My own design of portable LCD stand. Possible to flat pack it and come with 4 rubber wheels (lock and unlocked). Can fit from 32″ to 52″ inches LCD. Suitable for heavy usage (workshop/outdoor/event) and have very wide frame at the bottom to increase the stability. At the back you can find adjustable LCD holder so you can bring the LCD up and down. The best part its the cheaper compared than other portable LCD stand available on the market.

Nagios – Popular Monitoring System

What would be the most industrial standard monitoring system? My annswer is Nagios. On Nagios I have experienced on multiple times of deployment on critical, big scale or small medium environment, nagios never fail to deliver and does exactly what it’s suppose to do.

Nagios is considered by many network professionals as the best open-source software out there for network monitoring. It is certainly the most popular among the bunch. Originally designed to best be run on a Linux setup, it is also available in Unix formats and these Unix variants are not difficult to locate. Nagios is designed to monitor many different network protocols including POP2, HTTP, NNTP, FTP, SSH, SMTP, ICMP and SNMP. It is also designed to monitor resources such as disk usage, and system logs, and also processor loads. It manages remote monitoring by utilizing SSL or SSH via encrypted tunnels.

Nagios is server monitoring application designed with a simple but extremely user-friendly interface all installed with a simple plug-in. This allows users to customize their setup based on their individual needs. Nagios has an amazing ability to differentiate downed hosts from those that are simply unreachable. This is accomplished by utilizing a hosting hierarchy which uses “parent” hosts. When network problems arise, the network administrator is immediately notified via the method of choice, be that email, SMS, or whatever other method that has been selected. Nagios is head and shoulders above some of the other competition in this niche, when it comes to customer loyalty, and reputation.

Smooth-Sec 64bit edition is out

Smooth-Sec is a ready to-go  IDS/IPS (Intrusion Detection/Prevention System) linux distribution based on the multi threaded Suricata IDS/IPS engine and Snorby, the top notch web application for network security monitoring.  Functionality is the key point that allow to deploy a complete  IDS/IPS System up and running out of the box within a few minutes, even for security beginners with minimal Linux experience.

Smooth-Sec 64bit edition features:

Operating system: Debian 6.0 squeeze 64-bit
IDS: Suricata 1.3 stable
WEB Console: Snorby 2.5.1
Database: MariaDB 5.5.25
Log interpreter: Barnyard2 2.1.10-beta2
Web framework: nginx/0.8.54 – passenger-3.0.4

ISO Download:
http://sourceforge.net/projects/smoothsec/files/SmoothSec-2.0/