Showing posts tagged #malware

Return Home

In this post I will analyze one on the ELF files captured on my honeypot. First, a dynamic analysis will be performed. Once we aknowledge it's behaviour we will move onto a more in-deep static analysis.

Let's start!


We are presented with a 32-bit ELF un-stripped executable.

$ file 05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf 
05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped, too many notes (256)

Analyzing the network traffic

Executing the malware sample with Wireshark listening on our routing machine shows that our sample is trying to contact server 218.2.0.

Read More

Amongst all the files captured in my honeypot all had a common thing: they were executables. All but one. A single lonely C source file. Naturally, this caught my attention, so I decided to read the source code.

After all, it was a rudimentary port scanner by someone going by the alias of Lupu to scan B-class networks. What really got my attention was this line of code:

strcpy(argv[0],"/bin/bash");

That... can not work, right? I mean, is really Linux going to report my process as being the obviously innocuous bash shell just because I

Read More

If you want to have a look of what's been downloaded in my honeypot over these months you can now.
In this period of time over 15.000 files have been downloaded, the majority of them being empty files due to bad redirects or malware servers being down. After cleaning up the empty files I'm left with 215, which are available for download here.
The site is password protected but if you want in you can contact me using the contact form found in my landing page or drop a comment below.

I am not responsible for whatever you may

Read More

Leaving the ssh port open to the wild

Have you ever wondered how much of a threat is having a server exposed to the internet?

I own a server on a public IP that does serve HTTP + SSH, mainly for testing projects, had no domain names pointing to it until a week ago and it is not linked by any other machine (not that I know of). I have had hardened the ssh service with iptables, rate limiting and a more stric ssh configuration. Still it didn't feel safe, as services like shodan do exist.

So, just to be sure, I decided to have a look at the

Read More