Malware Honeypot Projects Merge

rebvend writes "eWeek is reporting that two of the biggest honeypot projects (mwcollect and nepenthes) have merged operations. A new meta-portal at mwcollect.org will become a top-level community covering malware collection efforts while nepenthes will become the official tool for malware collection."

Re:No Windows version ?

but most malware uses what are called "stub installers" which are usually small downloaders that call the rest of the malware components once infection has begun
sure you can use WINE but then all the cracker has to do is a
if(fileExists("c:\windows\system32\ntdll.dll")
execute(payload)

its probably quite trivial for the cracker to see wether the exploit is running in an (em|sim)ulated enviroment rather than the real thing (other than vmware)

Re:No Windows version ?

[WindBourne]

Back in 200[23], I was doing commercial (and federal) network manipulations on OC-48s (and other lines). One of my ideas was to use our highspeed tool to track all the packets as they went in to a "honeypot". We were going to use vmware on top of a modified linux. It made sense to go after malware on x86 (x86 accounts for more than 99% of the malware). Once we knew the exact signature of the unencrypted packets going back, we would simply replay this back on other points. The idea was to have a number of honeypots to obtain the signatures, but once we had the signatures, we could then do packet/stream manipulations while blocking any thing coming in. Basically, we could use this to track who was on the net and where they were originating from while mitigating the damage. Sadly, we got side-tracked on the federal systems so we did not do this work.