Recently I have been struggling to find a steady stream of fresh malware samples to play with. Originally I had an educational research agreement with VirusTotal to gain access to their awesome Intelligence community which allows me to create my own YARA rules for catching samples. Unfortunately, this contract has expired and I do not foresee a new one any time soon.
That said, I decided it was about time I go hunting for my own samples...well...more like let the samples come to me. I took it upon myself to set up my own small honeypot network on a couple of EC2 instances (Thanks Amazon for the free credit :D ). On these instances I have deployed the Modern Honeypot Network to help manage my fake services.
My SensorsBeing new to running my own honeypots, I decided to get as much bang-for-my-buck as I could on my two EC2 instances. One instance is running as my MHN Master while the other is my MHN slave with multiple sensors and services deployed ready to log malicious traffic. A quick overview of my setup view the MHN admin UI is below:
As you can see I'm running quite a few services: P0f, Kippo, glastopf, snort, and dionea. Asides from Kippo, this is my first experience using any of these honeypot services but MHN makes it super easy to deploy these as sensor by offering scripts to handle the setup and configuration for you. After that just a few tweaks are needed to make sure the sensors are relaying all of the logging information to the Master server properly.
The ResultsWithin MINUTES of deploying my sensors I was raking in the attack logs. Isn't the wild internet great? I was very impressed with the results and speed. It's been about two days now and I have decided I would share some attack overview thus far.
As you can see...the attacks are plentiful and in just the last 24 hours I have eaten 480 hits. What's nice about MHN is that it aggregates all of the relevant information onto a single dashboard. It even allows for easy viewing of payload information such as SNORT triggers and GET requests:
My final favorite feature of MHN is the Kippo graph reports. Kippo is simply an SSH honeypot that logs attempted logins and attacks. What's nice about MHN is that it will give a quick overview of the top attacker IPs and user:password combinations.
ConclusionWhile I have not yet captured any actual malware binaries (dionea's capture feature), I have already learned quite a bit about not only running my own honeypots, but also the nature of internet attacks in the wild. It's only been a few days but I am already starting to see a pattern in attack times and spikes in traffic that seems to hint at botnets carrying out the majority of these attacks. If this is the case then it is quite clear that malicious actors or leveraging their infected zombies as spreaders, essentially a botnet internet worm. In time I hope to gather more information from this new setup and perhaps even build analysis charts with Kibana and Elasticsearch to confirm my hypothesis.