Honeypot experimentation

Lately I have been reading Virtual Honeypots and in the interest of education I have been using certain honeypots to gather Malware for reversing. It seems to be a fairly common practice in the Information Security community so why not.

My initial honeypot was a simple and quick installation of Kippo. The instructions where fairly clear on the website and it really takes very little to accomplish so I won't rehash that here. Andrew Waite has an excellent tutorial on installing Kippo from SVN and logging it to MySQL. Though kippo does not require MySQL to run.

With the honeypot running behind a firewall with the SSH port forwarded internally to my Linux box I started receiving login attempts within 30 minutes of activation. On average I get a brute force attempt started every hour. While most times it appears to be just a script or bot and when a command shell has been granted a scripted set of commands are run that test the shell and then logged out. Perhaps someone is just logging open ssh only with the username and password that is there.

The files that I have received thus far are:

army1.tar md5: 4ba9b19b262bd87b6af702dd6d7a3683
decoder.tar.gz md5: 1a29f818c023993baf903ebacc001da2
flood md5: e8ad571c662e01f6e942ced9859eddaa
gosh.tgz md5: d41d8cd98f00b204e9800998ecf8427e

(Since I started the post yesterday that has increased, but I'll save that for later)

Some of this isn't malware, but IRCbots. I guess someone is trying to flood a channel. Didn't work, but I'm not here to help them with it.

In a discussion to start a blog with a pretty good reverse engineer to start a blog just dedicated to the malware from my honeypot and what it does. Where it came from and who (if we know) is responsible. So once we get to that we will start posting write ups for each piece of malware we find (hopefully).

I'm still trying to learn Reversing better and this gives me an opportunity to work on some more tools/malware.