One charactersitcs of many of the telnet explois we have seen over the last few years has been the transmission of malware using echo commands. Even the recent versions of Mirai used this trick. Reconstruction the malware from packet captures can be a little bit tricky, in particular if you are trying to automate the process. So here is what I have been doing for my honeypot DVR:
First of all, the DVR is connected to a remote controlled power outlet, to make it easy to reboot it as needed. I do use a shell script to reboot the DVR after it gets infected.
Next, I run snort to alert me that the honeypotgotinfected again. I dont trigger on the initial compromise, but on the outbound telnet scans. They usually start once the exploit completes. The signature I am using:
alert tcp $HONEYPOTIPany - any 23 (msg: MIRAI end)
I just run snort like: snort -c ./snort.conf -A console -N -q -i eth0and once it starts flooding the terminal with alerts, it is time to reboot (I havent automated that part yet... soon). In addition I run a full packet capture of all traffic going to/from the DVR.
Once the honeypot is compromised (usually every 15 minutes or less), I take the packet capture and run it through tcpflow.
tcpflow will extract all TCP sessions, and reassemble the payloads. The only step that is left is to extract the transmitted files. To do this, I wrote a little perl script. Just pipe the telnet session files to it, and it will extract the malware. You can find it, and other tools/samples here:https://github.com/jullrich/dvrxploits .
The current script is in a works for me state. It will not work if multiple files are transmitted at the same time . For example:
echo -en \x.... file1
echo -en \x... file2
echo -en \x... file1
interleaving of echo statements like this is something I havent seen so far, but it wouldnt be hard to adjust the script to deal with it.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.