Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

Thug – A Client Honeypot

7 Feb 2014

1. Introduction to Thug and Client Honeypot

I’ve always been interested in client honeypots. It’s an amazing tool for security enthusiasts who wish to perform a quick analysis on Websites, communication channels, etc.

 

I was previously fascinated by Capture-HPC – a high-interaction client honeypot – developed by Christian Seifert and Ramon Steenson from the New Zealand Chapter of The Honeypot Project.  The project was later adopted and extended by The HoneySpider Network (HSN) – the HSN Capture-HPC NG. However, a high-interaction client honeypot may be a little much if I just want to perform a simple/light-weight analysis.

 

Thug is a Python low-interaction client honeypot publicly released in March 2012 by Angelo Dell’Aera at the Honeynet Project Security Workshop, held at Facebook Inc., Menlo Park.

 

Thug mimicks the behaviour of Web browsers in order to detect and emulate malicious contents. It make use of Google V8 JavaScript Engine wrapped through PyV8 in order to analyse malicious JavaScript code, and LibEmu library wrapped through PyLibEmu in order to detect and emulate shellcodes.

 

Here I will demonstrate how to you can get Thug running on your (Linux) machine, and how it can be used to perform analysis on sites of your interest.

2. Getting Started with Thug

Having problems with "locally defined but not used" warning on LibEmu's emu_env_w32.lo (with "all warnings being treated as errors") during the installation on my Kubuntu 13.10 and Xubuntu 13.10 machine, I got my Thug up and running on my Ubuntu 12.04.4 LTS machine instead.

 

Python 2.7 is required to run Thug properly

apt-get install python2.7 python2.7-dev

 
Get Thug itself

apt-get install git
cd /opt/
git clone git://github.com/buffer/thug.git

 
Install Google V8 and PyV8

sudo apt-get install subversion
cd /opt/
svn checkout http://v8.googlecode.com/svn/trunk/ v8

 

svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8

 

cp thug/patches/PyV8-patch* .
patch –p0 < PyV8-patch1.diff

 

sudo apt-get install build-essential libboost-python-dev
export V8_HOME=/opt/v8
cd /opt/pyv8
python setup.py build
sudo python setup.py install

 

If you are facing problem with LibBoost, checkout StackOverFlow Question #7160608.

 
Install Beautiful Soup 4

apt-get install python-setuptools
easy_install beautifulsoup4

 
Install HTML5Lib

easy_install html5lib

 
Install JSBeautifier

easy_install jsbeautifier

 
Install LibEmu

sudo apt-get install autoconf libtool
cd /tmp/
git clone git://git.carnivore.it/libemu.git
cd libemu
autoreconf –v –i
./configure --prefix=/opt/libemu
sudo make install

 
Install PyLibEmu

cd /opt/
git clone git://github.com/buffer/pylibemu.git
cd pylibemu
python setup.py build
sudo python setup.py install

 
Install PEFile

easy_install pefile

 
Install CharDet

easy_install chardet

 
Install HTTPLib2

easy_install httplib2

 
Install CSSUtils

easy_install cssutils

 
Install Zope Interface

easy_install zope.interface

 
Install PyParsing

easy_install pyparsing

 
Install PyDot

easy_install pydot

 
Install Python-Magic

apt-get install python-pip
pip install python-magic

 
Install Yara & Yara-Python

apt-get install libpcre3 libpcre3-dev
cd /opt/
git clone git://github.com/plusvic/yara.git
cd yara
./build.sh
sudo make install

 

cd yara-python
python setup.py build
sudo python setup.py install

 

echo “/usr/local/lib” >> /etc/ld.so.conf
ldconfig

 
Install MongoDB

apt-get install mongodb

 

Install PyMongo

easy_install pymongo

 
Test if Thug works
python /opt/thug/src/thug.py –h

If you get “ImportError: libemu.so.2: cannot open shared object file: No such file or directory” error:

touch /etc/ld.so.conf.d/libemu.conf
echo “/opt/libemu/lib/” > /etc/ld.so.conf.d/libemu.conf
ldconfig

 

Here are some flags that you should be familiar with:

  • -u flag  – using different browser personalities / user-agents plus supported schemes
  • -r flag  – specifying a referrer
  • -l flag  – analysing a local HTML file
  • -o flag  – logging to a specified file
  • -v flag – enabling verbose mode
 

3. Analysing Something Simple

The European Union Agency for Network and Information Security (ENISA) has a series of Computer Emergency Response Team (CERT) Exercise and Training Material – containing Handbook, Toolset and Virtual Image – to support hands-on training sessions essential for success in the CERT community and in the field of information security.

 

Among all, ENISA has an exercise specifically on honeypots; with the objective to familiarise users with server- and client-honeypots: Honeypots CERT Exercise Handbook / Toolset / Virtual Image

 

In this and the next section, I will be referencing to the CERT Exercise Handbook and utilising the Virtual Image supplied by ENISA for my demonstration.

 

Network Setup

Since I already have Thug installed on my Ubuntu 12.04.4 LTS machine, I will only be using the Virtual Image as a Web Server to serve me a suspicious Website.

First, fire up the Apache service. P.S., the username and password of the Virtual Machine is “student”, and “honeypot” respectively.

Next, configure the /etc/ hosts file of your Thug machine such that you can access the Website via a suspicious URL

Analysing Suspicious Webpage (ex1.html) Using Thug

With the network all set, let the analysis begin!

Here we see 3 interesting activities:

  • An [iFrame Redirection] on ex1.html to ex2.html;
  • Another [iFrame Redirection] to ex3.html; and
  • A [Window] alert text with “you are using Internet Explorer not 7”

Thug have also captured the HTML source code of the 3 Webpages (ex1.html, ex2.html and ex3.html) it visited during the analysis; located at /opt/thug/logs, each Webpages are name after its MD5 hash value.

ex1.html

The iFrame on ex1.html is generated by an obfuscated JavaScript (you can deobfuscate it using an external tool or service).

 
ex2.html

Here you see another JavaScript that display different iFrame depending on the Web browser you are using. It directs you to malicious.html if you are using Internet Explorer 7, ex3.html if you are using Internet Explorer but not version 7, and ex4.html if you are using any other type of browser.

 

Since Thug emulates the personality of Internet Explorer 6.1 on Windows XP by default, an iFrame redirection to ex3.html was displayed during the analysis.

 
ex3.html

ex3.html is just an obfuscated JavaScript that display a Windows alert displaying “you are using Internet Explorer not 7.”

 

Is ex1.html Malicious?

According to the analysis, ex1.html is not malicious. But what if you are using Internet Explorer 7 to access ex2.html, and the JavaScript fetches the content from malicious.html via the iFrame? We’ll look into that in the next section.

 

4. Analysing Something Malicious

Continuing from where we left off, we know that there are two other outcomes (i.e. malicious.html and ex4.html) depending on the user agent used to access ex2.html.

We know that we’ll be served with malicious.html via the iFrame if we are using an Internet Explorer 7 personality, and ex4.html for any other non-IE personality.

 

So let’s begin with the former!

 

Redirection to malicious.html

Using Thug, repeat the analysis process using an Internet Explorer 7 personality.

Here we see a much more interesting events going on:

  • An [iFrame Redirection] on ex1.html to ex2.html;
  • Another [iFrame Redirection] to malicious.html;
  • At malicious.html, an ActiveX object is created, and it uses some functions to fetch a file – malware.exe – and writes it to visitors’ C drive as sysqvda.exe.
The JavaScript on malicious.html uses an ActiveX exploit on a vulnerability found in Internet Explorer Browser (CVE-2006-0003) to fetch malware.exe, save it in the victim’s local disk drive and execute it.
 

In addition to the 3 Webpages (ex1.html, ex2.html and malicious.html) Thug has analysed, it saved a copy of sysqvda.exe (i.e. malware.exe) in the analysis log directory – /opt/thug/logs. Such files can be analysed using external tools or services (e.g. VirusTotal, Anubis, Cuckoo, etc.).

Upon analysing the captured suspicious binary, you will find that it’s just an EICAR test file.

Is ex1.html Malicious?

It is considered as malicious when you are browsing it with an Internet Explorer 7 Web browser. Although it’s just an EICAR test file, it’s considered as a “malware”.

 

What about ex4.html?

We’ve analysed ex3.html and malicious.html. What about ex4.html which ex2.html’s iFrame which may have redirected us to?

 

Now perform an analysis using any other user agent other than that of an Internet Explorer. I used Firefox 12 on a Windows XP machine.

Now it’s your turn to perform your own analysis.

 

Practice Makes Perfect!

You should be familiar with Thug. The Virtual Image provided by ENISA offers another suspicious Website you can practice your analysis skills on.

 

Using the same network setup:

 

This case is no longer contained within a single URL; therefore, you will have to update your /etc/ hosts file on your analysis machine (my Ubuntu 12.04.4 LTS machine) to the following

Now begin your analysis of http://www.coruscant.emp/main.html!

 

Ask yourself the following questions (Source: ENISA’s Honeypots CERT Exercise Handbook):

  1. Is the web site malicious or not?

  2. How was the attack carried out? Describe step by step (could be presented as a flow diagram).

  3. What domain names and IP addresses are involved in the attack?

  4. Which browsers are targeted?

  5. Which vulnerabilities are exploited and how?

  6. How could we mitigate the attack?

References
 

 

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed