privacysavvy

privacysavvy

Wednesday, November 29, 2023

[New post] Decoding The Patterns: Analyzing DShield Honeypot Activity [Guest Diary], (Mon, Nov 27th)

Site logo image Malware Devil posted: "[This is a Guest Diary by Alex Rodriguez, an ISC intern as part of the SANS.edu BACS program] Honeypots can be an effective means of discovering the variety of ways hackers target vulnerable systems on the Internet.  The first thing you may ask yo" Malware Devil

Decoding The Patterns: Analyzing DShield Honeypot Activity [Guest Diary], (Mon, Nov 27th)

Malware Devil

Nov 28

[This is a Guest Diary by Alex Rodriguez, an ISC intern as part of the SANS.edu BACS program]

Honeypots can be an effective means of discovering the variety of ways hackers target vulnerable systems on the Internet.  The first thing you may ask yourself is, "What is a honeypot?"  In short, it is a magnificent tool that can be attached to your home router and is designed to lure potential hackers into attacking it by pretending to be a vulnerable system.  As part of my internship with the SANS Internet Storm Center, I have had the pleasure of setting up a honeypot and monitoring activity to assist me in identifying some of the trends hackers use to target vulnerable systems.

Monitoring activity on a honeypot usually entailed reviewing logs, which in my case meant combing through JSON-formatted, SSH and Web logs looking for activity that piqued my interest. According to my SSH logs, the honeypot captured 26171 IP addresses, 48548 Source Ports, 13201 Usernames, and 43794 Passwords between July 30, 2023, and October 30, 2023. Listed below are the Top 10 IPs, Ports, Usernames, and Passwords captured during the four-month period: 

Although Port 1024 is within the user server range, Trojan activity has been associated with Port 1024 as indicated by the SANS Internet Storm Center: 

What is interesting about this login data is that the ratio between successful and failed logins is vastly different despite the total number of username and password combinations that were utilized.  On the other hand, a change in simple password or default password usage would increase this disparity even more.

Commands Captured by Honeypot

During the same period, 27096 commands were captured on the honeypot. Listed below are the Top 10 commands seen during the period: 

Top 10 Commands

The most interesting commands listed above are the first two, as they are normally used together to help maintain system access once a system is compromised.  The first command upon execution removes any attribute that would prevent overwriting the .ssh hidden file.  The next command would effectively add an attacker's own SSH public key to .ssh in authorized_keys, to maintain access:

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw==mdrfckr">>.ssh/authorized_keys && chmod -R go=~/.ssh && cd ~

This command has been directly associated to the Outlaw Hacker Group by TrendMicro in 2018. Additional information concerning its usage and association with a Crypto-Botnet can be found by navigating to this site [1].

Uploaded Honeypot Files

Uploaded honeypot files are files uploaded to a honeypot by threat actors. These files can contain malware, exploits, backdoors, or other malicious content that can be analyzed to gain insights into the attacker's methods and intentions. During the four-month period, 8 binaries, a Bash shell script, and an empty file with the following SHA256 hash values were uploaded to the honeypot:

According to VirusTotal, 9 of the hashes listed above are all indicators of compromise, which consist of various Trojan and Miner families as well as a Bash shell script. The empty file with no threat label as indicated above is an empty file with zero bytes. In addition, this file has been categorized as stealer malware based on two Dynamic Analysis Sandbox Detections [3].  It seems interesting that even amongst the VirusTotal community there seems to be some debate as to whether this file is a threat. There is still not enough known about this file.

On the other hand, the XorDDoS Trojan listed above is well known and was first discovered by a white hat malware research group, MalwareMustDie [4]. The Trojan uses an XOR encryption key to encrypt all the data related to its execution. This Trojan is interesting as it has rootkit capabilities that infect Linux devices, transform them into zombies and subsequently controlled by attackers to execute malicious tasks remotely, including a DDoS attack. 

In conclusion, honeypots provide a wealth of information that would be useful to cybersecurity professionals as they help identify both old and new emerging threats being used against systems on the Internet. While exploits will forever haunt our systems exposed to the Internet, simple configuration adjustments and continual patching of systems; as well as utilizing password complexity best practices could assist in thwarting successful attacks.

[1] https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/

[2] https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932

[3] https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection

[4] https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-polymorphic-in-elf.html

[5] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------

Guy Bruneau IPSS Inc.

My Handler Page

Twitter: GuyBruneau

gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Comment

Manage your email settings or unsubscribe.

Trouble clicking? Copy and paste this URL into your browser:
https://devi.ly/decoding-the-patterns-analyzing-dshield-honeypot-activity-guest-diary-mon-nov-27th/

WordPress.com and Jetpack Logos

Get the Jetpack app to use Reader anywhere, anytime

Follow your favorite sites, save posts to read later, and get real-time notifications for likes and comments.

Download Jetpack on Google Play Download Jetpack from the App Store
WordPress.com on Twitter WordPress.com on Facebook WordPress.com on Instagram WordPress.com on YouTube
WordPress.com Logo and Wordmark title=

Automattic, Inc. - 60 29th St. #343, San Francisco, CA 94110  

at November 29, 2023
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest

No comments:

Post a Comment

Newer Post Older Post Home
Subscribe to: Post Comments (Atom)

The Daily 3: Trump Accounts launched July 4th as potential pathway to privatizing Social Security—could address 2034 trust fund crisis; check-in apps for isolated seniors; and more

Catch up in minutes with your daily briefing on the Social Security, Medicare & Retirement news that affects you most.  ‌ ‌ ‌ ‌ ‌ ‌...

  • Dork List
    ...
  • End of week Artemis update - July 18th 2025
    A round-up of our ILS focused news from this week ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌...
  • Artemis London 2025: Under two months to go
    Register now to attend at the lowest price ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌...

Search This Blog

  • Home

About Me

privacysavvy
View my complete profile

Report Abuse

Blog Archive

  • July 2026 (18)
  • June 2026 (75)
  • May 2026 (73)
  • April 2026 (94)
  • March 2026 (92)
  • February 2026 (76)
  • January 2026 (77)
  • December 2025 (79)
  • November 2025 (73)
  • October 2025 (88)
  • September 2025 (79)
  • August 2025 (71)
  • July 2025 (89)
  • June 2025 (78)
  • May 2025 (95)
  • April 2025 (85)
  • March 2025 (78)
  • February 2025 (31)
  • January 2025 (50)
  • December 2024 (39)
  • November 2024 (42)
  • October 2024 (54)
  • September 2024 (83)
  • August 2024 (2665)
  • July 2024 (3210)
  • June 2024 (2908)
  • May 2024 (3025)
  • April 2024 (3132)
  • March 2024 (3115)
  • February 2024 (2893)
  • January 2024 (3169)
  • December 2023 (3031)
  • November 2023 (3021)
  • October 2023 (2352)
  • September 2023 (1900)
  • August 2023 (2009)
  • July 2023 (1878)
  • June 2023 (1594)
  • May 2023 (1716)
  • April 2023 (1657)
  • March 2023 (1737)
  • February 2023 (1597)
  • January 2023 (1574)
  • December 2022 (1543)
  • November 2022 (1684)
  • October 2022 (1617)
  • September 2022 (1310)
  • August 2022 (1676)
  • July 2022 (1375)
  • June 2022 (1458)
  • May 2022 (1297)
  • April 2022 (1464)
  • March 2022 (1491)
  • February 2022 (1249)
  • January 2022 (1282)
  • December 2021 (1663)
  • November 2021 (3139)
  • October 2021 (3253)
  • September 2021 (3136)
  • August 2021 (732)
Powered by Blogger.