In previous posts, I’ve talked about searching for malware. With a honeypot, you can let malware come to you.
I recently implemented a Dionaea honeypot. I chose Dionaea because it’s often found at or near the top of lists of malware-gathering honeypots. What I didn’t realize at the time was that it seems like it’s really not officially maintained anymore. I suppose that’s somewhat of a debatable statement as there are people who seem to be trying to work on it (I’ve seen recent documentation updates, for instance) but it’s really unclear if this is a concerted effort by a group or just a few people trying to keep it alive. At any rate, this is what I did to get my Dionaea honeypot up and running. If you’re interested in setting one up yourself then hopefully this post will help you to that end.
My first step in this effort was to set up a cloud-based server. There are a number of choices. The top names that I considered are Amazon AWS, Digital Ocean (link contains my referral code – if you use it to sign up, you’ll get a $10 credit) and Cloud At Cost. There are others but they’re mostly geared toward the enterprise (with enterprise-level pricing). I quickly ruled out Cloud At Cost after reading several poor reviews. I started with Amazon AWS but ran into some problems (email me if you’re interested in the details but they’re fairly pedestrian). This brought me to Digital Ocean.
I created an Ubuntu 14.04 Droplet ($5.00/month level) and followed this guide to set up my SSH connection. Now I was ready for the honeypot setup. My first step was to try using Jason Trost’s helpful Modern Honey Network project. It really seemed like the ideal way to go. The instructions I used are here on the project’s GitHub page.
The MHN setup process was painless. I then deployed my Dionaea honeypot (see MHN documentation for details). I recorded my first connection attempt within about 1 minute. I thought this would work out perfectly. The problem I ran into was that after running for a couple of days and logging over a thousand connections, I had captured no actual malware. Judging from Google search results, this problem has been reported by others as well. I destroyed the droplet and started over.
One reason that I went with the MHN install initially was the I was scared off by all of the Dionaea dependency packages (check here to see what I mean). These prerequisites coupled with installing from source just didn’t seem appealing. Then I found this Dionaea documentation page. I added the PPA, installed and started Dionaea and I was off and running. Very simple.
After about an hour or two, I checked the binaries folder and I had captured actual malware! My honeypot has been steadily collecting ever since (at this point it seems to be mostly Conficker traffic which has been making a resurgence lately).
While the MHN project software was very nicely done (and very simple to implement), I had trouble achieving my actual objective with it – collecting malware. I probably could have gotten it working properly (or perhaps, I just needed to be more patient and wait for malware?). Since Dionaea is now available as a package in a PPA the process of installing it was even easier than implementing it with MHN.
I very quickly realized that one of the advantages of the MHN install was that it comes with a GUI. In the next post, I’ll detail how I installed DionaeaFR as a front-end for my Dionaea honeypot.