Wiki Navigation

MwFetcher Online Manual

HoneyBow Sensor

You can download the PDF version here (out of date).

CAUTION

Clean list format changed since v0.1.2 and is not compatible with earlier version.

Installation

Install from Subversion

Download the latest version of MwFetcher

svn co https://svn.mwcollect.org/honeybow/trunk/mwfetcher

Run the install.sh script to install.

cd mwfetcher
su
./install.sh

Install from Package

Download the latest version of MwFetcher package from SourceForge and extract it

tar zxf mwfetcher-$version.tar.gz

Run the intsll.sh script to install.

cd MWFETCHER
su
./install.sh

Usage

Initialization

MwFetcher use file list comparison to find out potential malware, therefore a clean list of the virtual machine honeypot must be generated first. Use following command to generate clean file list for a virtual machine:

mwfetcher -i [-m path] [-s path] [-g file] [-M] vmxfile

Options

-i Initialize clean list;

-m Specify virtual disk mount point, use $HOME/.mwfetcher/tmp_mnt/ as default;

-s Specify the directory in virtual disk that will be scanned, default will scan the whole disk;

-g Specify clean list file path, use $HOME/.mwfetcher/<vmxfile>.good as default;

-M Use MD5 hash for comparison.

For example

[root@localhost]# mwfetcher –i /root/vmware/Windows\ 2000\ Server/Windows\ 2000\ Server.vmx
[root@localhost]# ls .mwfetcher
tmp_mnt Windows 2000 Server.good
[root@localhost]# mwfetcher –i –g /root/w2k.good –M /root/vmware/Windows\ 2000\ Server/Windows\ 2000\ Server.vmx
[root@localhost]# head /root/w2k.good
MD5
8c380b72d814773cae4c42e6af613f16  /pagefile.sys
2669976b3b4d6124bb3fba553806d68d  /windows/system32/config/userdiff
8ce9081890ba4959e6a5946b85fb833b  /windows/system32/config/system.log
65c507414db2e6ece3cb866699d3d86f  /windows/system32/config/software.log
fee71d8fb5539a3a15f909ac42e0ff93  /windows/system32/config/default.log
02c11b8badbbaaf486e8a93b4b2b9342  /windows/system32/config/userdiff.log
e55cfb5cad49c7826c5dc8b66ef8026c  /windows/system32/config/TempKey.LOG
d67a2eb2352a1f9eef0c874e7b828a4c  /windows/system32/config/system.sav
6da6f1e8992807e81c440c54f8bd0e2e  /windows/system32/config/software.sav

Caution: if the clean list is generate with –M option, the scan process must use –M option too.

Scan

Before reverting the virtual machine, run MwFetcher to extract potential malware from the virtual disk:

mwfetcher [-m path] [-l path] [-s path] [-g file] [-f] [-M] vmxfile submit-dir

Options

-m Specify the virtual disk mount point, use $HOME/.mwfetcher/tmp_mnt/ as default;

-l Specify the path to save MwWatcher’s runtime logs, if not specified, logs will not be saved;

-s Specify the directory in virtual disk that will be scanned, default will scan the whole disk;

-g Specify the clean list used for comparison, default will use

$HOME/.mwfetcher/<vmxfile>.good;

-f Fetch MwWatcher captured samples, default will not fetch;

-M Use MD5 hash for file comparison.

For example

[root@localhost]# mwfetcher /root/vmware/Windows\ 2000\ Server/Windows\ 2000\ Server.vmx /root/samples/
…
[root@localhost]# mwfetcher –g /root/w2k.goog –M /root/vmware/Windows\ 2000\ Server/Windows\ 2000\ Server.vmx /root/samples/

Caution: if the scan process uses –M option, the clean list must with –M option too.

Batch Mode Scan

You can use MwFetcher’s batch mode to scan several virtual machines:

mwfetcher [-M] [-c config-file] -b

Options –b tells MwFetcher to run through virtual machine list given in <config-file>, if the <config-file> is not specified, it will use $HOME/.mwfetcher/config as default. The <config-file> must have follow format:

<VMX_FILE #1>
<VMX_FILE #2>
…

For example (see also the default <config-file>)

/root/vmware/Windows\ XP\ Professional/Windows\ XP\ Professional.vmx
/root/vmware/Windows\ 2000\ Server/Windows\ 2000\ Server.vmx
…

While running under batch mode, MwFetcher will use $HOME/.mwfetcher/tmp_mnt/ as mount point, use /tmp/mwfetcher/<vmxdir> as submit directory (e.g. /tmp/mwfetcher/Windows\ 2000\ Professional ), fetch MwWatcher’s captured samples, save MwWatcher’s runtime logs at $HOME/.mwfetcher/<vmxdir> and use $HOME/.mwfetcher/<vmxfile>.good as clean list.

About honeypots' file system

Theoretically MwFetcher could support any file system the Linux kernel support, but it has been tested only against Microsoft's FAT32 and NTFS file system, both may have some problem while scanning. For FAT32 system, due to its instable nature, abnormal samples may be captured. Therefore, MwFetcher will abort scanning if it fails on checking the FAT32 file system with fsck.vfat -y command. One the other hand, the host OS (Linux) sometimes hangs after a period of autorun if you use NTFS file system. That period my vary from two days to about two months and this might due to the incomplete support for NTFS in Linux kernel. So we strongly recommend you test your pot first.

Known Issues

While using sudo command to run mwfetcher as a root, for example if you use Ubuntu, the script will not be processed by Bash as it should be and a syntax error would occur. To solve this problem, run mwfetcher as follows
```
sudo bash mwfetcher [OPTIONS]
```

Download in other formats:

Plain Text