Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Honeypot Projects Merge

Posted by ryuzaki0 on from the two-great-tastes dept.

rebvend writes "eWeek is reporting that two of the biggest honeypot projects (mwcollect and nepenthes) have merged operations. A new meta-portal at mwcollect.org will become a top-level community covering malware collection efforts while nepenthes will become the official tool for malware collection."

45 comments

  1. malware honeypots!! by Anonymous Coward · · Score: 0

    think of all the porn they have to surf through!

  2. Evolution by Ritz_Just_Ritz · · Score: 2, Insightful

    Don't the malware folks get hip to the honeypots rather quickly or do they just unleash their plague and hope the hits overwhelm any setbacks from the honeypot?

    1. Re:Evolution by jsherman256 · · Score: 1

      Not the way that malware makers tend to do things. Just look at the Sony rootkit.

      --
      -JSherman
    2. Re:Evolution by Anonymous Coward · · Score: 0

      and in a few hundred million years we might have some moss

    3. Re:Evolution by spectre_240sx · · Score: 1

      I don't know that I'd consider the sony root-kit malware. It's just piss poorly written software in my eyes.

    4. Re:Evolution by Trigun · · Score: 1

      You mean m/OSS

  3. No Windows version ? by Anonymous Coward · · Score: 1, Insightful


    Ironic that you need Linux/BSD to collect malware for a Windows platform, wouldnt it make more sense to have a windows version too ?

    1. Re:No Windows version ? by WindBourne · · Score: 4, Insightful

      All that you really want is to emulate an opening enough to encourage a cracker/worm to show itself and what the attempt is. If you use Windows, there will be back doors that will be unknown and the honeypot will most likely be cracked. Something like *bsd or *nix is needed.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    2. Re:No Windows version ? by Anonymous Coward · · Score: 2, Interesting


      but most malware uses what are called "stub installers" which are usually small downloaders that call the rest of the malware components once infection has begun
      sure you can use WINE but then all the cracker has to do is a
      if(fileExists("c:\windows\system32\ntdll.dll")
      execute(payload)

      its probably quite trivial for the cracker to see wether the exploit is running in an (em|sim)ulated enviroment rather than the real thing (other than vmware)

    3. Re:No Windows version ? by Anonymous Coward · · Score: 0

      Of course not. Why risk infection while trying to collect specimens? Same reason a nurse puts on sterile gloves before doing blood work. But I guess that's giving safety in both directions.

    4. Re:No Windows version ? by Anonymous Coward · · Score: 0

      I think you're giving most malware authors too much credit.

      And wouldn't they still at least get the stub?

    5. Re:No Windows version ? by WindBourne · · Score: 3, Interesting

      Back in 200[23], I was doing commercial (and federal) network manipulations on OC-48s (and other lines). One of my ideas was to use our highspeed tool to track all the packets as they went in to a "honeypot". We were going to use vmware on top of a modified linux. It made sense to go after malware on x86 (x86 accounts for more than 99% of the malware). Once we knew the exact signature of the unencrypted packets going back, we would simply replay this back on other points. The idea was to have a number of honeypots to obtain the signatures, but once we had the signatures, we could then do packet/stream manipulations while blocking any thing coming in. Basically, we could use this to track who was on the net and where they were originating from while mitigating the damage. Sadly, we got side-tracked on the federal systems so we did not do this work.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    6. Re:No Windows version ? by Ethan+Allison · · Score: 3, Informative

      [bob@honeypot: ~]$ touch /home/bob/.wine/drive_c/windows/system32/ntdll.dll

      --
      I make websites and stuff. Buy one.
    7. Re:No Windows version ? by pembo13 · · Score: 1

      Do you realise how much that would cost? As I am sure you are aware, they would have to pay for each copy of Windows.

      --
      "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
    8. Re:No Windows version ? by CsiDano · · Score: 1

      While in college we had to create a honeynet and monitor it for our final semester. Knowing that watching a linux honeynet would be boring as hell we decided to create a windows honeynet with all monitoring done using linux machines. Since we were students, hence poor, we used windows and then just didn't activate the installs, that gave us thirty days of authorized use before having to clean wipe and re-install. This was a perfect situation as being a windows honeynet, infection never took more than 30 days.

      --
      piss off
  4. Hence Forth.. by Comatose51 · · Score: 1

    Hence forth, it shall be known as "Mega Jackpot!!!" (the ! is part of the name).

    --
    EvilCON - Made Famous by /.
  5. Bound to happen by varmint+jerky · · Score: 4, Funny

    It was inevitable...they couldn't resist each other.

  6. Oh server why are you not there? by Anonymous Coward · · Score: 0

    Slashdot - Malware providers server take down provider

  7. As Winnie the Pooh would say... by __aaclcg7560 · · Score: 1

    ... the biggest honeypot projects ...

    Honey... oh my gracious...

  8. MS Strider honeymonkey project by Quirk · · Score: 4, Informative
    I remembered MS running a honeypot project that /. reported on last year.

    What Is Strider "HoneyMonkey"? is a differnet take on the problem. /. reported on the project... http://it.slashdot.org/article.pl?sid=05/05/18/224 0222

    --
    "Academicians are more likely to share each other's toothbrush than each other's nomenclature."
    Cohen
    1. Re:MS Strider honeymonkey project by telax · · Score: 1

      Do you mean www.microsoft.com? :) Didn't they have it on unix for quite a while? Can't remember.

      --
      telax - Just another vim and c hacker.
  9. In other news... by Anonymous Coward · · Score: 0

    Linux is STILL for fags.

  10. Your powers combined.... by smaerd · · Score: 2, Funny

    ...I am CAPTAIN HARDRIVE!


    Captain Hardrive
    He's our hero
    he's going to take malware
    down to zero

  11. The New Malware Team by slashbob22 · · Score: 1

    To the tune of "The New Justice Team Theme" -- Futurama

    Go, go, go New Malware Team
    Go team, go team, team team team
    Whose that newest Malware Team?
    The New Malware Team

    MW Collect is fast
    Also it is from the past
    Not just fast but from the past
    MW Collect!

    Nepenthes has all the powers of a King
    Plus all the power of Superman,
    Also it's a robot
    Ain't it cool? Nepenthes you rule!

    Hon-ney-pot beats you up
    Ho-ney-pot beats you up
    Who does it beat up? You!!
    Hon-ney-pot!

    Citizens, never fear
    Crazy do-good freaks are here
    Until they run out of steam...
    Merger cream, merger cream

    Gives the power to the team
    Its effects wear off for sure
    So they just merge with some more
    The New Malware Team!

    --
    Proof by very large bribes. QED.
    1. Re:The New Malware Team by Anonymous Coward · · Score: 1, Funny

      Ouch - you know, I wish we had a "Slashdot" honeypot to collect "Sung to the tune of " references stories like this tend to collect.

      Wait, is this thread the honeypot???.

  12. I'm surely not the only slashdotter... by PornMaster · · Score: 1

    I'm surely not the only slashdotter who thinks that honeypot sounds like a euphemism for vagina, am I?

    --
    500GB of disk, 5TB of transfer, $5.95/mo
    1. Re:I'm surely not the only slashdotter... by Anonymous Coward · · Score: 1, Informative

      It's funny that you say that... in the history of the word, it has a similar meaning.
      http://en.wikipedia.org/wiki/Honeypot_(electronics )

      The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey.

      During the Cold War it was an espionage technique, which inspired spy fiction. The term "honeypot" was used to describe the use of sexual entrapment to gain information. In a common scenario, a pretty female Communist agent would trick a male Western official into handing over secret information.

      An alternative explanation for the term is a reflection of the sarcastic term for outhouses and other methods of collecting feces and other human waste in places that lack indoor plumbing. Honey is a euphemism for such waste, which is kept in a honeypot until it is picked up by a honey wagon and taken to a disposal area. In this usage, attackers are the equivalent of flies, drawn by the stench of sewage.

    2. Re:I'm surely not the only slashdotter... by kent_eh · · Score: 1

      GIS for Honeywagon
      That's what we always called 'em when I was growing up on the farm.

      --

      ---
      "I can't complain, but sometimes still do..." Joe Walsh
    3. Re:I'm surely not the only slashdotter... by cloudmaster · · Score: 1

      Wrong hole, man. Wrong hole.

    4. Re:I'm surely not the only slashdotter... by Anonymous Coward · · Score: 0
      the British children's character Winnie-the-Pooh


      Wasn't Winnie the Pooh Canadian? From Winnipeg?

  13. Meaning of nepenthes by EightMillion · · Score: 1

    In case anyone was wondering, nepenthes is a genus of carnivorous or insectivorous pitcher plants. More information about them can be found here.

    1. Re:Meaning of nepenthes by Anonymous Coward · · Score: 0

      No, we weren't :-)

    2. Re:Meaning of nepenthes by Anonymous Coward · · Score: 0

      Just for the ultra curious, nepenthes also features in Greek mythology, as in 'I will drink the nepenthes (that's neh-pen-theez) of the waters of Lethe'. It was a sleeping draught which brought forgetfulness - in the Odyssey, Helen was given 'nepenthes pharmakon' to ease her troubled mind over the whereabouts of her man.

  14. They're both doing the same thing... by Deliveranc3 · · Score: 1

    So economies of scale is nice...

    But possibilities of being paid off or court-ordered increase, which sucks.

    Overall I'd say... net loss.

  15. reason for merge by Anonymous Coward · · Score: 0

    They just couldn't afford two second level domains.

  16. Greetings from the world of tomorrow! by TCQuad · · Score: 1

    Back in 200[23]

    OMG, you're from the future?

    And we use base-32 numbers in the future?

    Man, that is such an appropriate interesting mod.

  17. speaking of honeypots by bobkoure · · Score: 1

    Doesn't it seem obvious that spammers have their own honeypots (in order to harvest addresses from each other)? Of course, the advantage with a spammer's honey pot is that he/she doesn't have to worry about mitigating any damage - just let that spam spew through - so long as you get a copy of the addresses. Unless you think they all meet somewhere and trade/sell addresses...? What makes you think they treat each other honorably when they can just steal?