Collecting Malware in Swiss German University with Low Energy and Cost Computer

The malware spreads massively in Indonesia. The security in Information Technology doesn’t seem to become a top priority for Indonesian. The use of pirated software is still high, although it is the biggest threat and entrance for the malwares to attacks. This paper shows how to collect a spreading malware in a system to know the malware trends that exist. So, the owner may know the malware trends inside his system and he can countermeasure the attacks. To collect the malwares, I use the Dionaea, the honeypot to collect malware and implement it to Raspberry Pi. Raspberry Pi is a small, low cost and low energy consumption computer. By using Raspberry Pi to collect malware, we can minimize budget, save the energy and space.


Introduction
In a survey by KTPG Luxembourg, they state that although industries nowadays already bonded with information technology, industries in 2013 only spend less than 25% of their budget for information technology. And the budget for information security is either remains the same or decreased from 2012 (Hoffman, M., Luxembourg, C.J., 2013). This shows that the industries do not realize about how important the information security is.
In a research from gocsi.com, malware attacks is the number one threats to information security (67% in 2010 and still increasing) (CSI Survey, 2010). That's why an information system needs a device to detect, report, and collect malware. A Honeynet project community has a tool called Dionaea to collect malware. Dionaea is capable to detect and collect malware, even an unknown malware. Dionaea's source code is available online which mean everybody can build/compile the code to any operating system (Dionaea).
To run Dionaea, it does not need to use sophisticated and brand new hardware, even old Pentium can run Dionaea (Spitzner, L. et al., 2004). Currently, there is a micro computer called Raspberry Pi which use ARM processor and it runs Linux. A set of Raspberry Pi cost only ¼ of nanoPC that available in the market. This leads me to use Raspberry Pi as a device to detect and collect malwares.

Dionaea
Dionaea is a tool from honeynet project community. Dionaea was started by Markus Koetter and it is an open source project, so Dionaea is still developed until now. Basically, Dionaea open seven well-known ports as a trap for attacker (especially malware). It opens FTP, TFTP, HTTP, SMB, MSSQL, MySQL, and VoIP (SIP). When an attack detected, it emulates a fake system and check a file (if any) with libemu to detect whether the file is malicious. When libemu detect anomaly from the file, Dionaea will copy the file to a folder. Dionaea also records the connection information like source IP, source port, date and time to SQLite database. Dionaea must be installed in a special computer that has no any valuable data and different from production computer. Dionaea can be supported by virustotal. Virustotal is an online malware analysis tools, it cooperates with 51 antivirus vendors to analyze what kind of malware that is uploaded (Virustotal). Dionaea can automatically upload the captured suspicious file to virustotal.
Beside records the connection information, with a help from third party application called p0f (p0f v3), Dionaea can passively detect the operating system that the attackers use. So we may know the statistic of operating system that attackers use.

Raspberry Pi
Raspberry Pi is a small computer, a credit card sized computer. It consumes maximum for only 5 watts of electricity power. Raspberry Pi has 2 types, type A and B. Type B's specification is higher than type A. This research is using Raspberry Pi type B. Here is the specification of Raspberry Pi type B: With the usage of Raspberry Pi, it is effective and efficient in term of electricity, space, and cost compare to normal computer of even nanoPC that exist in the market. Raspberry Pi only consumes 5 watts of electricity power, has the same size of credit card, and has price only ¼ of normal computer.

Proposed Architecture
Raspberry Pi with Dionaea is set in Swiss German University. Swiss German University has a block of IP public, which is accessible from anywhere. In order to get attacks, the Raspberry Pi is connected to one IP public. This IP public will not be filtered by any firewall, so any connection is permitted to the honeypot (Dionaea) in Raspberry Pi. Figure 1 shows the proposed architecture to implement Dionaea in Swiss German University. The operating system for Raspberry Pi is Raspbian, Raspbian is actually a Debian with modification from Raspberry Pi community, so it is developed to make the hardware and operating system compatible each other.

Install Dionaea in Raspberry Pi
Dionaea can be installed in Raspberry Pi. It needs some dependencies that can be downloaded, compiled, and installed on Linux operating system. Since the Raspberry Pi runs Raspbian that based on Linux Debian, all dependencies of Dionaea is running well. These are the list of Dionaea's dependencies: If the dependencies have been installed properly, Dionaea is ready to be installed. The Dionaea's source code can be downloaded from github. Then compiled and installed to the Raspberry Pi. Some modification to Dionaea's configuration must be done to enable automatic virustotal analysis, enable p0f passive OS fingerprinting, and configure logging system to make it efficient.

Capture Result
Dionaea assumes any coming connection as a malicious connection. This is because there must be no normal people want to connect to Dionaea, since it has no valuable data in it. So, any coming connection to Dionaea will be recorded to the SQLite database and Dionaea may also detect any suspicious malware attack. The copies of malware binaries are copied to a folder inside Raspberry Pi. And the most important in capture result is the attacker's IP address. We may see all the IP addresses that come to Dionaea. Here is the query:  Besides the frequency of attacker, we may also see the frequency of malware attacks. Here is the query: It shows that 'None' malware attacked 4 times, W32/Blaster.worm.e once, and W32/Conficker.worm.gen.a twice. From this result we can see that not all coming connections contain malwares and from the result we may obtain the malware attacks trends to the SGU information system.

Conclusion
Raspberry Pi is capable to be used as malware collector. In order to collect malware, I used Dionaea, the honeypot to capture malware. Dionaea can be installed and run in Raspberry Pi. Raspberry Pi was chosen because it has small size, low energy consumption, low cost, and yet powerful to run Dionaea. Low energy consumption and low cost for information security for an information system in a company might be a solution for the system administrator to obtain the malware attack trends. The malware attack trends can be used as early warning to a company.