< Nepenthes 0.2 | Live Botnet Feed >

Using Nepenthes Honeypots to Detect Common Malware

A blog entry I almost forgot about: a few days ago, Jamie Riden from the New Zealand Honeynet Project published on article on SecurityFocus entitled "Using Nepenthes Honeypots to Detect Common Malware". The article introduces nepenthes and how to install/configure it. The results are interesting:

The New Zealand Honeynet Project installed a Nepenthes honeypot using version 0.17 running on Debian unstable. This was listening on 255 IP addresses, a /24 network prefix. Over a period of five days, it had collected 74 different samples as distinguished by the MD5 hashes of the binaries. Of these, only 48 were identified as malware by a particular antivirus product at the end of the five day period. Of the known samples, many were worms such as Korgo, Doomjuice, Sasser and Mytob. The rest were IRC bots of one sort or another, like SDBot, Spybot, Mybot and Gobot. The majority of binaries, whether classified, as worms or bots had some kind of IRC backdoor functionality. Further analysis of these samples can also be performed by the reader as desired.
This entry was posted by Thorsten Holz on Tuesday, November 21. 2006 at 10:32. and is filed under honeynets, malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Anonymous says:
    #1 2006-11-21 22:38 (Reply)

    Nepenthes is a nice tool, so easy to use that even a user that is as inexperienced as I'am is able to use it, (roughly 1 year of linux experience) and so far I have found out that my ISP is getting attacked by 30-50 different trojans - worms.

    One thing that I have found out is that there is alot of (new ?)malware that doesnt run on a sandbox, is there a new generation of malware coming out that is "vmware/sandbox aware" ?

    And the amount of malware that isnt recognized by virustotal have really opened my eyes.

    Nepenthes user from Finland.

  2. Jamie Riden says:
    #2 2006-12-03 05:27 (Reply)

    It carried on in this vein for a couple of weeks, with a hundred and something samples being collected - mostly bot variants but a few of the old classics such as Blaster, etc. There were quite still quite a few unidentified samples.

    Then the hard disk crashed :( Someone is rebuilding the box at the moment.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.