Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Evolutions in the honeypot/honeynet arena InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Evolutions in the honeypot/honeynet arena

Published: 2005-12-26
Last Updated: 2005-12-26 23:50:30 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Over the past days we have received some interesting links on the collection of malware using new variations on the honeypot theme.

Traditionally a honeypot was a (somewhat) vulnerable system that you let get infected in order to learn something form it. This newer breed is more an an automated system to catch malware without getting the system infected.

mwcollect (http://www.mwcollect.org/) is an automated downloader of malware. Georg Wicherski, mwcollect head developer, sent us some collected samples of his setup and I must say I'm still impressed by the number of collections he's sent us then.

Along the same lines is nepenthes (http://nepenthes.sourceforge.net/) a system that emulates known vulnerabilities in order to catch the exploits thrown at it.

Fellow handler Daniel Wesemann suggested a look at the Argos system, (http://www.few.vu.nl/~porto/argos/), designed to detect arbitrary control flow and arbitrary code execution attacks. It is build on top of QEMU for the emulation of x86 processors.  I have one big gripe about the approach and that is the comment in the FAQ of QEMU (quoting):
Q: "I want to set up a honeypot. Can I use QEMU for that purpose ?"
A: "It is possible, but the QEMU code has not been reviewed for security issues."

With recent vulnerabilities in the commonly used vmware and the trend of malware detecting vmware and debugging, great care is needed to the quality and security of these tools. So my suggestion would be to carefully inspect the source code of any of these before deciding to deploy it, even for a test run.

There are for sure more efforts in this arena, I'm just summarizing what we received recently.
As always, use these systems at your own risk.

Collecting all these samples is however just the first step. Somebody needs to analyze it and with the increase of malware that race might be tough on some. See also Kevin Liston's on Dasher article.

--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives