PwnyPot is a High Interaction Client Honeypot. Despite other High-Interaction honeyClients which detect malicious servers based on system changes (file system and registery modifications, invoked/killed processes, …), PwnyPot uses a new approach. To accomplish this, PwnyPot uses exploit detection methods to detect drive-by downloads at exploitation stage and dump malware file. Using this approach, PwnyPot eliminates some limitations of current HoneyClients and improves the detection speed of High-Interaction client Honeypots. Some of the methods used in PwnyPot have been first implemented in MS EMET. Pwnypot can be used for automated analysis with the malware analysis system Cuckoo. Please checkout the specific documentation for this here: http://jamu.info/pwnypot/docs/pwnypot/index.html If you want to use PwnyPot as a stand-alone manual analysis tool, you need to build "Release" otherwise "CuckooRelease".
Some of PwnyPot features are:
* No System Infection * Exploit detection without any signature * Detecting 0-Day exploits * Detecting shellcodes * Dumping shellcodes * Dynamic Analysis of Shellcode * Detecting ROP * Detecting ROP module and key ROP function * Dumping ROP * Dumping Malware * Automated Anlaysis with Cuckoo
PwnyPot developed to generally work on Windows XP, Vista and 7 and can detect exploits written for softwares like :
* IE 6,7,8,9 * Firefox * MS Office Products * Adobe Acrobat Reader * Adobe Flash * and ...
Most of PwnyPot tests were performed on Windows 7 and IE 8, 9. At this release PwnyPot use Stack Pointer Monitoring method to detect ROP but in near future I will add some methods which has been introduced in MS Blue hat Contest. In addition PwnyPot has some general protections like Permanent DEP, activating this feature may let you detect and test more complicated and advanced exploits (for example by activating Heap Spray Protection you can find out whether the exploit use memory leakage to get Shellcode and ROP address or not).
One of fundamental weakness of this type of programs is being bypassed! Attackers can use some methods (which has not been seen in the wild yet!) to bypass Shellcode and ROP detector modules. Currently I’m aware of most of these bypassing methods and I’m going to fix them in near future. Another problem is Java Sandbox Escape exploits. This kind of exploits are often logical and do not use any kind of memory corruption or legacy Shellcodes. Because PwnyPot is designed base on memory corruption issues and Shellcode execution, it can’t detect this type of Java exploits yet!
* Adding some more methods for detecting Shellcodes and ROPs * Resolving weaknesses in order to prevent PwnyPot bypass methods * Detecting Java Logical Exploits ( and other types of logical vulnerabilities ) * Making a Web service to communicate remotely with the Honeypot * Making a web based UI * and ...
It’s the first beta version of PwnyPot and its manager (for feeding input [URL] to honeypot) isn’t complete yet. Currently PwnyPot does not work automatically on Windows XP-IE6, and you have to manually inject it in IE after it started (I think this might be caused by AppInitDLL and PwnyPot dll dependencies).
Your opinion means a great deal to us; Please let me know your ideas about this project to help me improve it in the future.
- Shahriyar Jalayeri (@ponez)
- Tobias Jarmuzek (@the_jamu)