Using Nepenthes Honeypots to Detect Common Malware

Tuesday, November 21. 2006
A blog entry I almost forgot about: a few days ago, Jamie Riden from the New Zealand Honeynet Project published on article on SecurityFocus entitled "Using Nepenthes Honeypots to Detect Common Malware". The article introduces nepenthes and how to install/configure it. The results are interesting:

The New Zealand Honeynet Project installed a Nepenthes honeypot using version 0.17 running on Debian unstable. This was listening on 255 IP addresses, a /24 network prefix. Over a period of five days, it had collected 74 different samples as distinguished by the MD5 hashes of the binaries. Of these, only 48 were identified as malware by a particular antivirus product at the end of the five day period. Of the known samples, many were worms such as Korgo, Doomjuice, Sasser and Mytob. The rest were IRC bots of one sort or another, like SDBot, Spybot, Mybot and Gobot. The majority of binaries, whether classified, as worms or bots had some kind of IRC backdoor functionality. Further analysis of these samples can also be performed by the reader as desired.
Posted by Thorsten Holz in honeynets, malware at 10:32 | Comments (2) | Trackbacks (0)
(Page 1 of 1, totaling 1 entries)