How To Capture Malware Samples With HoneyDB
Does malware analysis peak your interest? Are you looking for sources of malware for research, or just to practice your craft? Honeypots are a great way to identify sources of malware. There are numerous honeypots available that will help you find or even capture malware samples. However, in this post I want to show how this can be done using HoneyDB and related tools. By using HoneyDB you can get up and running quickly, and you’ll be contributing honeypot data back to the community.
The steps described in this post are:
- Creating a HoneyDB account.
- Deploying and configuring a HoneyDB agent.
- Accessing your agent data via the HoneyDB API.
Creating A HoneyDB Account
This is super easy! So easy, that it probably doesn’t even warrant it’s own section in this blog post. However, you do need to have either a Github or Twitter account to login. Simply, visit this page to sign-up and login.
Deploying HoneyDB Agents
First, you’ll need to determine where you will deploy your agent. If you need some options, you can choose any cloud virtual private server (VPS) provider or your home network.
A few good, and cheap, VPS providers are:
- Digital Ocean (use this referal link for a $10 credit)
- Vultr (referal link)
- Linode (referal link)
- Scaleway (https://www.scaleway.com)
If deploying on your home network, I won’t cover the details of how to securely configure your network here. But make sure you compartmentalize and only expose the host dedicated for running the HoneyDB agent. If you are unsure of how to do this, then I strongly recommend using a VPS provider. It’s cheap! However, if you have a spare Raspberry PI at home, this is a good way to make use of it.
Once you’ve provisioned a server, it’s time to install. HoneyDB agent packages are hosted on Cloudsmith, which enables installing the agent via standard package management systems on Linux. In addition, Cloudsmith provides awesome quick install scripts.
You can find the quick install script or manual install commands for your OS with the links below:
Windows (zip file download)
Configuring the HoneyDB agent is very straightforward to do. There are two configuration files, agent.conf and services.conf. By default, these files are located in the /etc/honeydb-agent/ directory. At minimum, you’ll need to update the agent.conf file.
This is where you will add your agent keys. To find your agent keys, login to HoneyDB and you’ll be redirected to the API keys page. You’ll need the API ID and Sensor API secret key as indicated by the arrows in the screenshot below. If you haven’t already generated a new sensor secret key, click the Generate Key button.
Update the [honeydb] section in the agent.conf file, add your agent keys and be sure to set enabled to Yes. Example:
enabled = Yes
api_id = Your_ID_Key_Goes_Here
api_key = Your_API_Key_Goes_Here
The services.conf file tells the HoneyDB agent which services to emulate. By default, there are 23 services enabled. It is worthwhile to stick with the default and run the all. However, you can disable any service you don’t want to run by setting the enabled option to No. Example:
plugin = VNC_tcp
low_port = tcp:5900
port = tcp:5900
description = Low interaction VNC service
enabled = No
Important: In the services.conf, SSH service is enabled and attempts to listen on port 22. If the real SSH service you use to connect to the host is also listening on port 22 there will be a conflict. Your options are to either: configure the real SSH service to listen on a different port, or disable the SSH service in the services.conf file, or change the port for SSH in the services.conf file.
Accessing Honeypot Data
Now that you have your agent configured and running, the data will be collected on HoneyDB. You can access this data via the HoneyDB Threat Info API. To access the API you will need the API ID key and Threat Info API secret key as indicated by the arrows in the screenshot below. If you haven’t already generated a new Threat Info API secret key, click the Generate Key button.
Automate the Search
Now that you have API keys, you are ready to start querying the HoneyDB API. You can use any set of tools you like to access the API, but I provide and demonstrate a few utilities here as an example of how to automate searching for sources of malware. After all, why manually troll through data when you can automate it!
These utilities are written in Python so Python is required on the system you’ll be using to query the API. The first is the Python honeydb package, which can be installed using the following command:
pip install honeydb
The second is a Python script that utilizes the honeydb package to call the HoneyDB API.
This script will download and search payload data from the HoneyDB API. By default, it will filter by the current date, and notice the SEARCH_STRINGS variable. This variable is an array of strings that determines what we are looking for in payloads. To identify sources of malware, we are looking for payloads that make use of the commands wget and curl. Once an attacker compromises a host, or in this case our honeypot, these commands are typically used to download malware in an attempt to deliver the true nature of the attack. In many cases, this will be calls out to a command and control server for further instructions, continue attacking more hosts to spread itself, or to start mining cryptocurrencies.
The URLs in the wget or curl commands are what you are after. Those URLs point you to the malware samples you are looking for. In some cases, there may be additional redirects before getting to the final malware destination. You may also find that the server hosting the malware has been taken offline.
Important: exercise caution when downloading malware executables or scripts. Only execute them in isolated environments. But you probably know this already :-)
See an example run of the honeydb-search-payloads.py script below. Warning, the full recording is about five minutes long. You don’t need to watch the entire recording to get an understanding of what the script produces. However, there are some very interesting payloads throughout the entire recording.
This is an example run of a Python script that searches honeypot data from HoneyDB, looking for payloads using the…asciinema.org
With HoneyDB and the HoneyDB Agent, it is very easy to get a honeypot up and running quickly and start collecting data. Also, leveraging the HoneyDB API and the honeydb Python package you can easily query the data as well as automate the analysis of payload data. I hope you’ll find HoneyDB to be a useful resource in your hunt of malware. Happy hunting!
If you have questions or comments about HoneyDB, please feel free to submit them here.