Capturing Malware with Honeypot on Unifi Network

After almost 1 day of operation to monitor my Unifi network, here I would like to share some statistics and information on my malware honeypot.

What is Unifi:

Unifi adalah high speed broadband service from TMNET. Boleh di-consider-kan Unifi is one of the fastest public network di Malaysia. Dengan kelajuan yang ada, pastinya ia akan menarik minat ramai internet abuser. Dengan motif untuk melihat apakah misused activities yang berlaku didalam network Unifi itu sendiri, I have run Dionaea to detect and capture malware. Attacker or infected machine could come from any country –> Unifi network.

My 10mb Unifi dynamic IP address & gateway information:

IP Address :
 110.159.151.7x
Subnet Mask :
 255.255.255.255
Default Gateway :
 110.159.151.76
DNS :
 202.188.0.133 202.188.1.5

What is Dionaea?

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.

Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.

One of captured activity on samba:

From the URL on the screenshot; I have sent the URL to virustotal and seem it has been blocked by few anti virus 3 weeks ago. So basically this is not a new threat.

On the malware analysis from GFI Sanbox, they have conclude that g.exe program as a worm.

From the captured malware the MD5 hashes is ee94b06c5edc3f9e75a26c0108d08b55 and virustotal.com  has listed and identified this malware as a WORM too:

Full URL: https://www.virustotal.com/file/e311babb0755d92168a9501b9c0ec3ada533b8c5d2d3a345bcf00608eaf103ad/analysis/

Statistics from the log file: Statistics engine written by Andrew Waite – http://www.infosanity.co.uk

Number of submissions: 4
Number of unique samples: 1
Number of unique source IPs: 1

First sample seen: 2012-09-19 15:36:17.534004
Last sample seen: 2012-09-19 23:04:21.389548
System Uptime: 7:28:03.855544

Most recent submissions:
2012-09-19 23:04:21.389548, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 21:34:26.923448, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 20:46:47.013040, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 15:36:17.534004, 110.159.225.129, http://146.185.246.55/g.exe, ee94b06c5edc3f9e75a26c0108d08b55

As for now I will keep my honeypot running to capture more malware activity and keep posting information on this.

Advertisements

2 thoughts on “Capturing Malware with Honeypot on Unifi Network

  1. Pingback: SSH Honeypotting – Caught bad guy in action (most probably script kiddie). « wnnsnn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s