Andy Smith's Blog

  • kippo-graph is neat but calls home

    Update: The author has since released an updated version with the update check (calling home) turned off by default: http://bruteforce.gr/kippo-graph

    I've just been playing around with kippo-graph, I like it, it's quick and easy to set up and provides features I've wanted for a while. The only thing I don't like about it is the 'version checker' which calls home to make sure it's up to date.

    I'm sure the author's intentions are completely innocent but personally I like to keep the I.P. addresses of my honeypots private. To stop kippo-graph from calling home, simply open include/misc/versionCheck.php and replace the contents with the following:

    <?php
    // this is the version of the deployed script
    define('VERSION', '0.5');
    
    function isUpToDate()
    {
        return true;
    }
    ?>
    
    Read more...

  • List interesting Kippo TTY Logs by Date

    • Honeypots
    • Kippo
    • Scripts

    A quick one, mostly a reference. It seems those .log files that are 87 bytes tend to be connections followed swiftly by disconnects.

    ls -alFhL ~/kippo/log/tty | grep -v 87

    Then we can skim through our list

    python ~/kippo/utils/playlog.py ~/kippo/log/tty/20110124-x-x.log

    What I would love for Kippo is some form of online tool to allow you to 'work through' an annotate the (wonderful) tty logs.

    Read more...

  • Picking out the interesting Malware from Dionaea

    • Dionaea
    • Honeypots
    • Scripts
    • Virustotal

    So once you have Dionaea up and running and scanning with Virustotal you want to pick out the more interesting malware from your ever expanding collection.

    I am choosing to define 'interesting' here as 'the least positive hits on virustotal.com', there are a number of reasons why this may very well not mean 'interesting' but I don't need to go in to those here. It is, at least, interesting enough.

    We're going to use the sqlite database to poke around, there's already been some SQL magic documented on carnivore.it that you should check out if this interests you.

    Top 10 Undected Malware

    SELECT
        virustotalscans.virustotal,count(virustotalscans.virustotal) as hits,virustotal_md5_hash,virustotal_permalink
    FROM
        virustotalscans, virustotals
    WHERE
        virustotalscans.virustotal = virustotals.virustotal and virustotalscan_result != ''
    GROUP BY
        virustotalscans.virustotal
    ORDER BY
        hits asc;
    

    This produces a nice little list, which for me is:

    1. 18798b6904059c9408888fa05da02fe0

    2. 0e19ae7fb3f3c70f81e321d4b2824d48

    3. 022c02f4104a157fb8c04ec11f4b3ce3

    4. 061a289056139e77388ad93bbab42d07

    5. 3773d1e9d976659d1e18f390cec6d85a

    6. 524305279349c3e0ce187384fe87ca13

    7. 6170cd45f1e0cd5d22c7a80d3b4d23f7

    8. 77296904b96d0905960a5ff23e5935db

    9. 4535c1f0ac6749a3c452a9bd4b3df655

    10. 2894c4e7df8fc9eb7d87a22255def354

    Obviously it's entirely possible that 1 year ago Dionaea submitted a piece of malware that is since detected by all of scanners, but it's still quite a handy list when picking through lots of files.

    Update

    Similarly, if you want to see the most obscure viruses in the past 7 days, only a little tweak is required:

    SELECT
        virustotalscans.virustotal,count(virustotalscans.virustotal) as hits,virustotal_md5_hash,virustotal_permalink
    FROM
        virustotalscans, virustotals
    WHERE
        virustotalscans.virustotal = virustotals.virustotal and virustotalscan_result != '' and virustotals.virustotal_timestamp >= strftime('%s','now','-7 days')
    GROUP BY
        virustotalscans.virustotal
    ORDER BY
        hits asc;
    
    Read more...

  • Getting Dionaea to scan previously collected Malware

    • Dionaea
    • Honeypots
    • Virustotal tags:
    • virustotal dionaea

    Update: This is in old post and the scripts got lost when I moved hosts. There is a script here: http://carnivore.it/2010/10/07/virustotal_api under "processing backlog" that will do what I describe below.

    I finally got around to signing up for a Virustotal API key and popping it in to my Dionaea configuration. This gave my logs a lot more information for the new malware that was collected. My problem was that all my previous files had no Virustotal scan information attached.

    This would not do, so I wrote a Python script to populate the 'vtcache.sqlite' database with all the previous, unscanned pieces of malware. This will cause dionaea to scan all of the old malware with Virustotal and update the dionaea database with all that tasty data.

    Most of the magic here is the work of dionaea, all my script does is copy some data from one table to another. You must have the old malware still and the script is written for a setup, like mine, where most of the logs and malware is just left at default.

    The script is set up with dionaea defaults for directories, if yours are different you will need to change them by editing the file.

    Once configured, simply run:

    python vupdate.py

    No output is good output. That's all! Any feedback is appreciated, this is definitely experimental so backup anything important before you run it.

    Read more...