Dionaea honeypot: from Conficker to WannaCry + SambaCry CVE 2017-7494

30 May 2017 Roberto Tanara dionaea honeypot sambacry wannacry

This is a contribution by Tan Kean Siong, follow him on Twitter @gento_ .

The open source honeypot Dionaea supported SMB since long but lacked support for the recent WannaCry ransomware SMB vulnerability and the most recent Samba RCE vulnerability CVE 2017-7494 dubbed “SambaCry” wormable attacks. With the recent changes, both attack vectors are supported and respective samples caught in the wild.

Dionaea is a low interaction, server side honeypot which emulates a vulnerable system or device. Its ultimate goal is to gain a copy of the malware. It supports various protocols and network stacks e.g. SMB, HTTP, FTP, TFTP, MSSQL, MySQL, SIP (VOIP). Recently it also got support to emulate an IoT device, SmartTV or XBOX with the UPnP and MQTT protocols enabled. Dionaea was created back in the years of the Conficker worm, and yet its solid SMB network stack proved to be useful in 2017 for the WannaCry worm hunt across the Internet.

WannaCry

In May 2017, the WannaCry ransomware outbreak infected millions of computers globally and got much attention due to the scale and the infected organizations. The attack targeted computers running Microsoft Windows by exploiting the MS17-010 SMB remote code execution vulnerability. Initially, the worm exploited the system with the EternalBlue exploit, and installed the DoublePulsar backdoor implant tool, thus deliver the ransomware onto the system. The worm would then continue to scan the Internet in order to find the next targets.

“How can we collect the non-stop spreading WannaCry ransomware binaries in the easiest way possible?” - This is definitely an interesting challenge to tackle. With Dionaea, we emulate a Windows system which was implanted with DoublePulsar backdoor. Yes, a Windows system with DoublePulsar backdoor. We will accept SMB Trans2 requests, dissect any incoming DoublePulsar commands (e.g. exec, ping) and respond gently. In order to establishing a proper conversation with the worm, so it voluntarily delivers the payload to the honeypot. Which is in fact the WannaCry ransomware sample.

SambaCry (CVE 2017-7494)

For Samba, a 7-Year-Old CVE 2017-7494 vulnerability (dubbed as “SambaCry”) was discovered after the WannaCry outbreak. This wormable flaw hit up the headlines and it might be the next big thing for Linux systems, network storage systems (NAS), IoT devices etc.

“Can we put a Samba server on the Internet and listen quietly for any WannaCry-alike outbreaks soon?” - Yes, Dionaea is up for CVE 2017-7494 vulnerability and it can be configured with the profile to emulate a vulnerable Samba server. We will accept the SMB Open AndX requests and Write AndX requests happily. If any incoming exploitation attempts to write a payload into the shared folder, Dionaea will accept this and collect the payload.

Github : https://github.com/gento/dionaea

*Note: network protocol emulation are complex, well, definitely there are more room of improvement for Dionaea honeypot…