2. About
• Over the weekend I collected two different
categories of malware
• Dionaea Honeypot malware (Conficker)
– Windows
– SMB-Based Exploits
• JBoss ZECMD worm
– Cross platform/Java
– JMX Console-based Exploits
4. Dionaea
• Dionaea is an open-source honeypot daemon
used to catch malware samples
• Installed and run on Linux
• Emulates a Windows 2000 Server
5. Protecting yourself
• Whenever you are doing any type of malware
research, be sure to protect yourself
• Segment the honeypot/analysis machine from
the rest of your network
6. Dionaea Log piped to “tail –f”
Tcpdump on port 445
Binaries collected
7. Commands
# tail -f dionaea.log
# tcpdump -i eth0 –XX –vvv tcp port 445
(-w capture.pcap)
# while [ 1 ]; do ls –lah ; ls | wc ; sleep 1 ; done
8. Results
• Over 24 hours, the Dionaea honeypot
collected over 100 malware samples
• There were more attacks, but the honeypot
failed to capture binaries for more
sophisticated malware
• Over five attacks per minute
9.
10.
11. Anyone interested?
• I have over 100 malware samples directly from
the wild
• If anyone is interested in setting up an offline
lab with me for manual analysis, shoot me an
email
• Makes good practice for reverse engineering
13. ZECMD
• Steve Nawoichik and I first encountered this
during a penetration test one year ago
• Our client thought they would be cool and
stand up an intentionally vulnerable server to
test if we were doing our jobs
• They got hit with a Jboss worm
14. Worming Mechanism
• I did a bit of OSINT on the term “ZECMD.jsp”
and found a couple writeups by
Carnal0wnage, Kaspersky, and a few others
• The worm infects machines over the internet
by attacking exposed Jboss JMX consoles
• Deploys it’s own custom malicious WAR file
15. So…
• I set up a Linux box and install Jboss
• Exposed the JMX console, no username, no
password
16. Infected
• Jboss worm hit me within 24 hours
• Again, ZECMD
• Good part about this worm
– Modular malware
– Portions are in Perl, C, and Java
– Drops the source code, relies on the machine to
compile
– No reversing necessary!
23. What I learned from the malware
• C2 (command and control) servers
• Propagation mechanism
• Able to identify compromised machines
• Handles of botmaster
• Methods of data exfiltration
• How to tell if a machine is infected