LebahNET Statistic – October 2015

1. Summary

CyberSecurity Malaysia has established a Honeynet project known as Lebahnet.

Lebahnet is a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This project was initiated in 2002.

Lebahnet as a lightweight and passive honeypot; emulate vulnerabilities of operating systems used in an enterprise to alert security administrator on source of attacks.

The project aims to provide valuable supporting information such as network trends and malicious activities for our incident handling and advisory activities currently carried out by MyCERT. Lebahnet also serves as a research network for our analysts to experiment with relevant tools and techniques.

MyCERT has deployed the LebahNET Sensor in several areas in Malaysia.

2. Analysis

The data is collected from LebahNET Sensors from 2015-10-01 to 2015-10-30.

Summary of collected data

Number of Hits: 103622
Total Malwares: 626
Unique Malwares: 95

Targeted Services

Top 10 Threat Origins

Top 10 IPs

# Source IP Total
1 222.186.61.6 (CN) 6360
2 222.186.61.10 (CN) 5588
3 222.186.61.17 (CN) 5185
4 222.186.34.74 (CN) 4923
5 61.147.103.166 (CN) 4486
6 180.97.215.126 (CN) 3823
7 60.169.74.139 (CN) 3681
8 61.147.103.106 (CN) 3458
9 177.43.8.13 (BR) 1976
10 36.48.159.93 (CN) 1480

Web Attack

Bruteforce Attack

Targeted Services

Top 10 Username

# Username Total
1 sa 26677
2 admin 16476
3 root 13594
4 mysql 2347
5 user 1746
6 ubnt 1665
7 test 1416
8 oracle 1143
9 server 834
10 support 497

Top 10 Password

# Password Total
1 admin 2319
2 root 2153
3 123456 1222
4 ubnt 1066
5 password 481
6 support 362
7 352
8 openelec 292
9 1234 280
10 12345 251

LebahNET Statistic – September 2015

1. Summary

CyberSecurity Malaysia has established a Honeynet project known as Lebahnet.

Lebahnet is a Honeypot Based Distributed System for detecting and capturing attacks that evades traditional security devices. This project was initiated in 2002.

Lebahnet as a lightweight and passive honeypot; emulate vulnerabilities of operating systems used in an enterprise to alert security administrator on source of attacks.

The project aims to provide valuable supporting information such as network trends and malicious activities for our incident handling and advisory activities currently carried out by MyCERT. Lebahnet also serves as a research network for our analysts to experiment with relevant tools and techniques.

MyCERT has deployed the LebahNET Sensor in several areas in Malaysia.

2. Analysis

The data is collected from LebahNET Sensors from 2015-09-01 to 2015-09-30.

Summary of collected data

Number of Hits: 35294
Total Malwares: 571
Unique Malwares: 47

Targeted Services

Top 10 Threat Origins

Top 10 IPs

# Source IP Total
1 222.186.61.10 (CN) 5032
2 222.186.34.74 (CN) 4711
3 61.147.103.166 (CN) 3688
4 45.35.33.50 (US) 1105
5 80.82.64.134 (NL) 659
6 117.21.176.17 (CN) 650
7 112.5.16.68 (CN) 630
8 58.63.245.217 (CN) 558
9 45.34.1.183 (US) 432
10 89.163.144.80 (DE) 360

Web Attack

Bruteforce Attack

Targeted Services

Top 10 Username

# Username Total
1 sa 9703
2 root 4018
3 admin 1663
4 ubnt 464
5 mysql 158
6 support 150
7 user 124
8 test 119
9 oracle 114
10 DUP root 99

Top 10 Password

# Password Total
1 admin 1247
2 root 615
3 ubnt 375
4 password 260
5 123456 222
6 1 112
7 support 108
8 12345 89
9 00 81
10 1234 78

LebahNET API – Malware Information

FireShot Screen Capture #038 - 'LebahNET - Distributed Honeypot Network' - dashboard_honeynet_org_my

We are pleased to announce that we have provided access to public to obtain information on malwares collected by our LebahNET Sensor. Interested parties may access this information by using our Public API.

These are public API that we’re offering to public:
– List of Malware MD5
– List of latest 10 Malware MD5 with timestamp
– Malware Information
– Download malware binary

Please email to us following information in order to receive the API key:

– Your First & Last Name (may not be a third party contact)
– Your Organization and Address
– Contact information for verification.

Our email address is: lebahnet@cybersecurity.my

Dionaea: Malwr Module

We have noticed the following tweet from malwr:

As we use Dionaea Honeypot as our sensors, we decided to make it easy for our analyst to work with.  So, we have created a module to automate the malware submission to malwr.

The following code is for malwr module and step-by-step installation.

Create file modules/python/scripts/malwr.py with the following code

Available on gist

from dionaea.core import ihandler, incident, g_dionaea
import logging
import json
import uuid
import time
import sqlite3

logger 	= logging.getLogger('malwr')
logger.setLevel(logging.DEBUG)

class malwrreport:
	def __init__(self, md5, path, timestamp):
		self.md5 = md5
		self.path = path
		self.ts = timestamp

class handler(ihandler):
	def __init__(self, path):
		logger.info("%s ready!" % (self.__class__.__name__))
		ihandler.__init__(self, path)
		self.vconfig = g_dionaea.config()['modules']['python']['malwr']
		self.submit_url = self.vconfig['submit_url']
		self.api_key = self.vconfig['apikey']
		self.share = self.vconfig['shared']
		self.cookies = {}
		dbpath = self.vconfig['dbfile']
		self.dbh = sqlite3.connect(dbpath)
		self.cursor = self.dbh.cursor()
		self.cursor.execute("""
			CREATE TABLE IF NOT EXISTS submit (
				id INTEGER PRIMARY KEY,
				uuid TEXT NOT NULL,
				path TEXT NOT NULL,
				md5 TEXT NOT NULL,
				sha256 TEXT NOT NULL,
				submit_time TEXT NOT NULL
			);""")

	def handle_incident(self, icd):
		pass

	def handle_incident_dionaea_download_complete_unique(self, icd):
		cookie = str(uuid.uuid4())
		self.cookies[cookie] = malwrreport(icd.md5hash, icd.path, str(time.strftime("%Y-%m-%d :%H:%M:%S", time.localtime())))

		i = incident('dionaea.upload.request')
		i._url = self.submit_url
		i.shared = self.share
		i.api_key = self.api_key
		i.set('file://file', icd.path)
		i._callback = "dionaea.modules.python.malwr.file_submitted"
		i._userdata = cookie
		i.report()

	def handle_incident_dionaea_modules_python_malwr_file_submitted(self, icd):
		f = open(icd.path, mode='r')
		j = json.load(f)
		cookie = icd._userdata
		mreport = self.cookies[cookie]
		self.cursor.execute("""INSERT INTO submit (uuid, path, md5, sha256, submit_time) VALUES (?, ?, ?, ?, ?);""", (j['uuid'], mreport.path, mreport.md5, j['sha256'], mreport.ts))
		self.dbh.commit()

		i = incident("dionaea.modules.python.malwr.uuid")
		i.md5hash = mreport.md5
		i.uuid = j['uuid']
		i.report()
		
		del self.cookies[cookie]

Open file modules/python/scripts/ihandler.py and find the following code:

	if "fail2ban" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.fail2ban
		g_handlers.append(dionaea.fail2ban.fail2banhandler())

Then Add this code:

	if "malwr" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.malwr
		g_handlers.append(dionaea.malwr.handler('*'))

and it should looks like the following:

	if "fail2ban" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.fail2ban
		g_handlers.append(dionaea.fail2ban.fail2banhandler())

	if "malwr" in g_dionaea.config()['modules']['python']['ihandlers']['handlers']:
		import dionaea.malwr
		g_handlers.append(dionaea.malwr.handler('*'))

Open file conf/dionaea.conf and find following code:

		imports	= [	"log",
					"services",
					"ihandlers"]

Add malwr configuration after the above code and it will look like below:

		imports	= [	"log",
					"services",
					"ihandlers"]
		malwr = {
			submit_url = "https://malwr.com/api/analysis/add/"
			apikey = "..." // get yours @ https://malwr.com/account/profile/
			shared = "yes"
			dbfile = "var/dionaea/malwr.sqlite"
		}

within same file as above, find following code

		ihandlers = {
			handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload", 
			"logsql",
//			"virustotal",
//			"mwserv",
//			"submit_http",
//			"logxmpp",
//			"nfq",
//			"p0f",
//			"surfids",
//			"fail2ban"
			]
		}

add “malwr” after “logsql” and it will look like below, and save 😀

		ihandlers = {
			handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload", 
			"logsql",
//			"malwr",
//			"virustotal",
//			"mwserv",
//			"submit_http",
//			"logxmpp",
//			"nfq",
//			"p0f",
//			"surfids",
//			"fail2ban"
			]
		}

Heartbleed Checker

Heartbleed (CVE-2014-0160) is a vulnerability on OpenSSL library which is affected on million of website. This will cause any user on the internet to read system memory. Our team have working to provide an alternative URL for user to verify their web server for vulnerable OpenSSL. User can visit to the following URL:

http://heartbleed.honeynet.org.my/

Heartbleed hosted on honeynet.org.my

Heartbleed checker hosted on honeynet.org.my. Showing an example of vulnerable website detected.

If the website is not vulnerable user will received the following message:
heartbleed2If you find any bugs or error in this web service please do not hesitate to contact us or leave a comment.

TOR Based APK Trojan

Several security firms recently discovered TOR based malware on android platform. As we received the sample, we make some quick analysis on it.

MD5: 58FED8B5B549BE7ECBFBC6C63B84A728
SHA-1: 2E6DBFA85186AF23A598694D2667207A254F8979

The sample has been reported to have C&C capability which is using unusual top level domain name (.onion). This TLD is usually used by TOR.
Constant
The use of Orbot TOR Client on this malware can be seen on its Java class:
Orbot TOR Client class

The following screenshot is an example of permission that used by this malware and the capabilities to run TOR client:

Permissions TOR Client Service

We have discovered more functionality which is not just TOR but also taking advantage on SMS, contact, USSD, and listing installed apps.

Maybank Phishkit Analysis

Just couple of days ago, we discovered a certain Maybank Phishing kit that limits access to only IP address from Malaysia. The phishing kit is hosted in a server in the US. This is basically done via the .htaccess file.

Directory of C:\temp\xyz\xyz\m2u\abc

07/04/2011  12:43 PM                           .
07/04/2011  12:43 PM                           ..
27/01/2011  01:12 AM             8,701 HTACCE~1     .htaccess
26/01/2011  03:44 PM               877              acc.php
27/01/2011  04:51 PM               870              favicon.jpg
15/01/2011  09:00 AM            16,372 M2ULOG~1.PHP M2ULogin.do.php
26/08/2010  11:21 AM            14,745 MAYBAN~1.PHP Maybanksecure.php
26/08/2010  11:50 AM            14,632 RE-ACT~1.PHP re-activate.php
04/10/2010  12:44 PM               518 SSLACT~1.PHP sslactivate.php
26/01/2011  03:41 PM               572 SSLVER~1.PHP sslverify.php
27/07/2010  09:32 PM             2,530 TACREQ~1.PHP tacrequested.php
26/01/2011  03:41 PM               543 VALIDA~1.PHP validating.php
26/01/2011  03:41 PM            21,301 VERIFY~1.PHP verifydetails.php
              11 File(s)         81,661 bytes

htaccess-phish

There is about 300 network addresses listed in the  .htaccess file and makes other  anti-phishing researchers  think that  site does not exit.

On another note, do make use of our DontPhishMe plugin for Firefox and Chrome!

From Facebook App to Botnet

MyCERT had received a couple of  reports of on a  new variant of Facebook malware spreading in the wild. It propagates through an FB application. The malware also is targetting users with messages on Facebook, which then link through to a fake Facebook photo page.

The site is designed to appear that the user is still browsing from within facebook. It was also made to appear that the picture was moved and needed to click the ‘View Photo’ button to see it. Clicking the button will download the malicious file.

The file is currently detected by 0 out of 37 antivirus products

* Refer to: http://virscan.org/report/d67fdc5b7dcfa … 0b1fe.html (Result as of 7 January 2011).

If infected, the computer will connect to the command and control server using the IRC protocol and wait for further instructions. Additionally,  sending similar messages to all your friends on the Facebook network.

Command & Control (C&C) Server connection:
Remote Host:Port Number
– 75.y.a.xx:1234
– 66.b.d.xx:1234

Forensic Challenge 2010/6 – Analyzing Malicious Portable Destructive Files is now live

Another challenge is ready to be tackled by forensic analysts, students, hackers and alike. This time, we present you with an attack vector that has become quite successful: malicious PDF files!

For challenge 6 of our series (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) we present you with a pcap file that contains network traffic generated by the following scenario: An unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.

We prepared a set of questions that requires you to dive deep into the portable document format. Submit your solution by November 30th 2010. The top three submissions will receive small prizes.

Enjoy!

Christian Seifert
Chief Communications Officer
The Honeynet Project

Source: The Honeynet Project’s Blog