| 1 |
1. INTRODUCTION |
|---|
| 2 |
|
|---|
| 3 |
MwFetcher is a malware collect sensor which extracts potential malware from |
|---|
| 4 |
VMWare virtual disk (or physical disk, need to cooperate with PotManager |
|---|
| 5 |
from Artemis) by comparing the current file list with the clean file list. |
|---|
| 6 |
It now runs only under Linux. |
|---|
| 7 |
|
|---|
| 8 |
MwFetcher is a free software by The Artemis Project (i.e. Chinese Honeynet Project), |
|---|
| 9 |
released under the GPL; see the file LICENSE for details. |
|---|
| 10 |
|
|---|
| 11 |
2. QUICK START |
|---|
| 12 |
|
|---|
| 13 |
After setting up your virtual honeypot, run mwfetcher to generate clean file |
|---|
| 14 |
list: |
|---|
| 15 |
|
|---|
| 16 |
mwfetcher -i <VMX_FILE> |
|---|
| 17 |
|
|---|
| 18 |
Then, each time before you revert the virtual machine, you can use MwFetcher to |
|---|
| 19 |
fetch potential malware that may have infected the honeypot: |
|---|
| 20 |
|
|---|
| 21 |
mwfetcher <VMX_FILE> <SUBMIT_DIR> |
|---|
| 22 |
|
|---|
| 23 |
If you have more then one virtual machine honeypot, you can use config file to |
|---|
| 24 |
save time: |
|---|
| 25 |
|
|---|
| 26 |
mwfetcher -c <CONFIG_FILE> |
|---|
| 27 |
|
|---|
| 28 |
Fetched samples will be saved at /tmp/mwfetcher/<VIRTUAL_MACHINE_NAME>/ seperately. |
|---|
| 29 |
|
|---|
| 30 |
For more information, please read the MwFetcher Manual. |
|---|
| 31 |
|
|---|
| 32 |
3. REQUIREMENTS |
|---|
| 33 |
|
|---|
| 34 |
To run MwFetcher, you must have: |
|---|
| 35 |
|
|---|
| 36 |
Linux kernel version 2.6.9 or higher; |
|---|
| 37 |
Net block device module compiled; |
|---|
| 38 |
Bash shell version 3.0 or higher; |
|---|
| 39 |
VMWare version 4.5 or higher; |
|---|
| 40 |
Correspond Linux kernel module to mount virtual disk(e.g. kernle module ntfs). |
|---|
| 41 |
|
|---|
| 42 |
4. SETUP |
|---|
| 43 |
|
|---|
| 44 |
4.1 SETUP FROM PACKAGE |
|---|
| 45 |
|
|---|
| 46 |
Download MwFetcher package, decompress and extract it: |
|---|
| 47 |
|
|---|
| 48 |
tar -zxf mwfetcher.tar.gz |
|---|
| 49 |
cd MWFETCHER |
|---|
| 50 |
su |
|---|
| 51 |
./install |
|---|
| 52 |
|
|---|
| 53 |
4.2 SETUP FROM SVN |
|---|
| 54 |
|
|---|
| 55 |
Check out latest version of MwFetcher: |
|---|
| 56 |
|
|---|
| 57 |
svn co https://svn.mwcollect.org/honeybow/trunk/mwfetcher |
|---|
| 58 |
cd mwfetcher |
|---|
| 59 |
su |
|---|
| 60 |
./install |
|---|
| 61 |
|
|---|
| 62 |
5. CONFIGURATION |
|---|
| 63 |
|
|---|
| 64 |
MwFetcher accept config file with following format: |
|---|
| 65 |
|
|---|
| 66 |
<VMX_FILE #1> |
|---|
| 67 |
<VMX_FILE #2> |
|---|
| 68 |
... |
|---|
| 69 |
|
|---|
| 70 |
For more information, please read MwFetcher Manual. |
|---|
| 71 |
|
|---|
| 72 |
6. GETTING MORE INFORMATION |
|---|
| 73 |
|
|---|
| 74 |
If you have any question about MwFetcher or have bug(s) found, please write to |
|---|
| 75 |
|
|---|
| 76 |
Song Chengyu |
|---|
| 77 |
songchengyu@icst.pku.edu.cn |
|---|
| 78 |
cs@mwcollect.org |
|---|
| 79 |
Jianwei Zhuge |
|---|
| 80 |
zhugejianwei@icst.pku.edu.cn |
|---|
| 81 |
|
|---|
| 82 |
-- |
|---|
| 83 |
The Artemis Project (Chinese Honeynet Project) |
|---|
