Fishing for Malware — Part One: Introduction

Published 2022-01-22
Edited 2023-10-25 (git:05b41b4)

Intro

Over the past week three weeks (school occupied my time), I have left a honeypot (T-Pot, courtesy of Telekom) running, hosted on a VM instance in Google Cloud. After all, what better way to thank Google for the $400 of free Cloud Compute resources they gifted me than to attract malware-distributing bots and hackers directly to their data centers? I jest, but the results of the honeypot thus far have been fascinating and insightful — from attack origins to the payloads and attempted exploits logged, there is much to share.

First, however, I would like to reference the material that inspired and helped me set up the virtual environment for this post. My friend and peer Nathan Burns hosts a technical blog similar to mine at nburns.tech. Further, if you’re interested in creating a honeypot of your own as Nathan and I have (which, mind you, is a surprisingly accessible project), I suggest you check out his tutorial, Installing and Configuring a Honeypot in Google Cloud. His two-part article does away with the complexity and ambiguity otherwise associated with this task and explains every step required to replicate our configurations in detail.

Structure and Purpose

Due to the depth of this topic, Fishing for Malware will be published as a series of posts; what you are reading now is only the introduction. In this series, I will examine a subsection of the malicious binaries received and the attack surfaces exploited. My research target is to log one-million attacks; at that point, I will shut down the honeypot and share the aggregate data collected for the duration of uptime.

I intend to — as a result — shed some light on how malicious actors execute non-targeted, automated attacks against the Internet of Things on a superficial level. Telekom’s T-Pot resource collection is well suited to this task, exposing bait services on the most common vectors, such as brute-force SSH, to the uncommon and exotic, like wireless Android ADB.

Please note that, as with all content on my website, education is the only objective. By exposing malicious source code and strategies employed by malware authors, I hope only to contribute to the cybersecurity community and my knowledge. Please do not copy any of the techniques shown here for unethical purposes.

Let’s get started.

Fishing for Malware: Part 2 →