Collect Linux malware/threat intelligence with cowrie honeypot

Written by  on August 16, 2017 

Hi all!

One of my main topics of research has always been malware analysis and when it comes to work the first thing you need is actually some malware sample to work on. There is plenty of sites on the Internet where you can go and download malware samples and even some kind of “threat intelligence” but.. you always end up thinking am I getting the last samples? am I working on the same thing as everybody is doing? (so what are my chances to do something original?) and so on. On the other hand if you get this kind of “generic” samples it may be good to get the big picture of what’s going on on the Internet but if you have to defend a specific network you may want to know what’s happening there, what kind of malware is targeting your machines.

A honeypot is a system designed to act as similar as possible to a real vulnerable system, letting any kind of human attacker or bot get int and tracking it’s behavior. Recently I was in charge of the defense of a large datacenter, that network was constantly under attack of almost every kind of malware you can imagine and I had to design an effective strategy to mitigate this attacks and know more about what was happening. I’m not entering into details about how I managed to mitigate that but I can say that one of the actions I firstly performed to perform a “survey” about the state of the net was deploying a net of honeypots to log malware, attacks and behavior.

I used different kinds of honeypots for tracking different kind of stuff, I centralized the logs of each one of them and then co-related some events to perform an analysis. I used cowrie for tracking over the SSH protocol. Cowrie is an ssh honeypot, similar to kippo, that offers complete tracking on what is the attacker doing on the system. It is so useful because it also tracks what kind of files is the attacker downloading on the server so it can be used to get a considerable and “”personalized”” malware source.

You can install cowrie using the following:

apt-get install git python-virtualenv libmpfr-dev libssl-dev libmpc-dev libffi-dev build-essential libpython-dev python2.7-minimal authbind

pip install twisted
pip install logger
pip install configparser
pip install cryptography
pip install pyasn1

adduser –disabled-password cowrie

su – cowrie

git clone

cd cowrie

virtualenv cowrie-env

source cowrie-env/bin/activate

Once you got cowrie installed you can use the configuration file attached at the end of the post along with the information.

Once you got everything ready you may consider doing:

$ sudo iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222

Or something like that because I guess that you don’t want cowrie running with full root privileges, and non-root users can’t work on ports like 22.

Cowrie generates the following fake filesystem:

And as I told it reacts like an almost real ssh server.

After a couple of months with cowrie running I got interesting stuff like:

A considerable amount of malware and attack samples downloaded by the attackers

A whole lot of general interaction, including login attempts, pings, exploits sent, and everything you can imagine

And a lot of well-known attacks

Once I got enought data and checked that everything was working fine I wrote a python script for connecting the log to a MYsql database with the following structure (only SSH, other honeypots were removed from this schema):


With enough information and a couple of sql queries you can start doing useful things 🙂

You can download the full malware and log samples along with the cfg file here:!WUwFyCYS!v-wrTSpzRLq4qN5neO4nrQ

Category : interesting stuff

Tags :

Leave a Reply