After almost 1 day of operation to monitor my Unifi network, here I would like to share some statistics and information on my malware honeypot.
What is Unifi:
Unifi adalah high speed broadband service from TMNET. Boleh di-consider-kan Unifi is one of the fastest public network di Malaysia. Dengan kelajuan yang ada, pastinya ia akan menarik minat ramai internet abuser. Dengan motif untuk melihat apakah misused activities yang berlaku didalam network Unifi itu sendiri, I have run Dionaea to detect and capture malware. Attacker or infected machine could come from any country –> Unifi network.
My 10mb Unifi dynamic IP address & gateway information:
|IP Address :||
|Subnet Mask :||
|Default Gateway :||
What is Dionaea?
Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls
Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network, the ultimate goal is gaining a copy of the malware.
Dionaea offers the following services by default, SMB (main service offered), HTTP, FTP and TFTP.
One of captured activity on samba:
On the malware analysis from GFI Sanbox, they have conclude that g.exe program as a worm.
From the captured malware the MD5 hashes is ee94b06c5edc3f9e75a26c0108d08b55 and virustotal.com has listed and identified this malware as a WORM too:
Statistics from the log file: Statistics engine written by Andrew Waite – http://www.infosanity.co.uk
Number of submissions: 4
Number of unique samples: 1
Number of unique source IPs: 1
First sample seen: 2012-09-19 15:36:17.534004
Last sample seen: 2012-09-19 23:04:21.389548
System Uptime: 7:28:03.855544
Most recent submissions:
2012-09-19 23:04:21.389548, 22.214.171.124, http://126.96.36.199/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 21:34:26.923448, 188.8.131.52, http://184.108.40.206/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 20:46:47.013040, 220.127.116.11, http://18.104.22.168/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
2012-09-19 15:36:17.534004, 22.214.171.124, http://126.96.36.199/g.exe, ee94b06c5edc3f9e75a26c0108d08b55
As for now I will keep my honeypot running to capture more malware activity and keep posting information on this.