Collecting Autonomous Spreading Malware Using High-Interaction Honeypots
Friday, January 11. 2008
Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.
Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.
Keywords: Honeypots - Intrusion Detection Systems - Malware
Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)
Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.
Keywords: Honeypots - Intrusion Detection Systems - Malware
Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)
".
