Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Honeypot Projects Merge

Posted by ryuzaki0 on from the two-great-tastes dept.

rebvend writes "eWeek is reporting that two of the biggest honeypot projects (mwcollect and nepenthes) have merged operations. A new meta-portal at mwcollect.org will become a top-level community covering malware collection efforts while nepenthes will become the official tool for malware collection."

8 of 45 comments (clear)

  1. Evolution by Ritz_Just_Ritz · · Score: 2, Insightful

    Don't the malware folks get hip to the honeypots rather quickly or do they just unleash their plague and hope the hits overwhelm any setbacks from the honeypot?

  2. Re:No Windows version ? by WindBourne · · Score: 4, Insightful

    All that you really want is to emulate an opening enough to encourage a cracker/worm to show itself and what the attempt is. If you use Windows, there will be back doors that will be unknown and the honeypot will most likely be cracked. Something like *bsd or *nix is needed.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  3. Re:No Windows version ? by Anonymous Coward · · Score: 2, Interesting


    but most malware uses what are called "stub installers" which are usually small downloaders that call the rest of the malware components once infection has begun
    sure you can use WINE but then all the cracker has to do is a
    if(fileExists("c:\windows\system32\ntdll.dll")
    execute(payload)

    its probably quite trivial for the cracker to see wether the exploit is running in an (em|sim)ulated enviroment rather than the real thing (other than vmware)

  4. Bound to happen by varmint+jerky · · Score: 4, Funny

    It was inevitable...they couldn't resist each other.

  5. MS Strider honeymonkey project by Quirk · · Score: 4, Informative
    I remembered MS running a honeypot project that /. reported on last year.

    What Is Strider "HoneyMonkey"? is a differnet take on the problem. /. reported on the project... http://it.slashdot.org/article.pl?sid=05/05/18/224 0222

    --
    "Academicians are more likely to share each other's toothbrush than each other's nomenclature."
    Cohen
  6. Re:No Windows version ? by WindBourne · · Score: 3, Interesting

    Back in 200[23], I was doing commercial (and federal) network manipulations on OC-48s (and other lines). One of my ideas was to use our highspeed tool to track all the packets as they went in to a "honeypot". We were going to use vmware on top of a modified linux. It made sense to go after malware on x86 (x86 accounts for more than 99% of the malware). Once we knew the exact signature of the unencrypted packets going back, we would simply replay this back on other points. The idea was to have a number of honeypots to obtain the signatures, but once we had the signatures, we could then do packet/stream manipulations while blocking any thing coming in. Basically, we could use this to track who was on the net and where they were originating from while mitigating the damage. Sadly, we got side-tracked on the federal systems so we did not do this work.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  7. Re:No Windows version ? by Ethan+Allison · · Score: 3, Informative

    [bob@honeypot: ~]$ touch /home/bob/.wine/drive_c/windows/system32/ntdll.dll

    --
    I make websites and stuff. Buy one.
  8. Your powers combined.... by smaerd · · Score: 2, Funny

    ...I am CAPTAIN HARDRIVE!


    Captain Hardrive
    He's our hero
    he's going to take malware
    down to zero