Some 'days' ago the deadline for the honeynet projects alliance bi annual status reports deadline was reached. As I think all reports are up now, or at least I hope it, I spend some time reading them.
As there is no single page where you could read all reports, this was pretty time consuming, after reading half of the reports, I had the great idea pasting the parts of every report together when we got mentioned.
After having done 3/4 of all pasting, my damn firefox decided to die … and I had to do it again.
I hope the summary was worth the time, I had to reformat some parts.
If you want to get the list of all reports, its below the summary.
# Malware collection on Debian Intel (~250 IP) using either:
Nepenthes_pub: 1 nepenthes sensor binding one IP of China Public Internet.
Nepenthes_edu: 1 nepenthes sensor binding one class C IP range of China Education and Research Network (CERNET).
We have a /17 (now /18) network for nepenthes.
Several nepenthes sensors in diverse locations at several ISPs
We collected more than 15,000 malware binaries with the help of nepenthes. The tool proofed to be useful and several other teams (also many non-honeynet related organizations) now use nepenthes on a daily basis. The collected malware consist of mostly bots, but there are also diverse other types of malware.
We have been running combinations of Nepenthes and MWCollect sensors for the past year, and as no direct performance and malware collection comparison statistics were available, we decided to conduct a research excercise on this topic. Two identical Debian Linux systems (both hardware and software) were set up, each running the default configuration of the latest version of Nepenthes and MWCollect. 120 IP addresses were assigned to each sensor, applied as virtual interfaces in an alternating fashion (.1 = Nepenthes, .2 = MWCollect, .3 = Nepenthes, etc) and connected to a 2MBit/sec UK ISP ADSL circuit.
Malware collection data was gathered for a month and a short comparison report will be published shortly, although the importance of this data has been significantly reduced due to the recent Nepenthes / MWCollect Fusion announcement - timing is everything!
During March one Nepenthes sensor collected an unusual piece of Windows malware that was protected using PELock.
At the time, other members of the Malware Collection Alliance had not seen this particular binary, or other exploit binaries protected using PELock, and the malware was not detected by common AV or sandbox tools such as Norman or VirusTotal.
Initial malware analysis was performed by members of the French honeynet project and more detail will follow in a future mini-report.
Malicious network traffic on TCP port 445 is still huge, we had several million downloads of malware binaries on our nepenthes sensors.
The malware collection tools continue to go from strength to strength, and with the MWCollect/Nepenthes Fusion announcement, it is very simple to easily collect the malware which is local to your own networks. Coupled with automated Norman Sandbox analysis reports, this represents an excellent way of keeping on top of malware activity without the need to deploy full high interaction honeypots.
Don`t run your nepenthes sensors with the default logging level unless you have a lot of disk space - it will quickly run out and you will lose binaries/shellcodes. If possible, actively monitor disk space on all honeynet components, and alert on shortages (as sudden large changes in free disk space is a sure sign that something unexpected has occured).
Integration of virtual honeypots (like honeyd and nepenthes) and physical honeypots to get a scalable, lower cost/threats/labor solution, but still provide high interaction level to the novel attacks/malware.
Explore how honynets can be used as an additional component within an IDS infrastructure. We are experimenting with nepenthes in this area and first results are convincing.
We've developed a sandbox parser which automatically processes the malware reports sent to us from Norman. The malware is collected using nepenthes and the submit-norman plugin. On regular intervals all un-processed mail from Norman is parsed and the data put into a MySQL database. Then we present this data on our webside using various charts and tables (Link: http://www.honeynor.no/research/sandbox).
nepenthes / mwcollect – “Collecting malware in non-native environments”
The main idea behind nepenthes is emulation of vulnerable services. Instead of deploying a high-interaction honeypot with vulnerable services that can be exploited by autonomous spreading malware, this program emulates the services. On the one hand, this reduces the risk of running a honeynet. Since nepenthes does not run a vulnerable service, an attacker can not fully compromise the honeypot. The attacking process will interactt with an emulation and thus we mitigate the risk involved. Once we have downloaded a piece of malware, it is stored on the hard disk and never executed. So the honeypot is never infected with malware – something impossible with a high-interaction honeypot. On the other hand, this approach leads to better scalability: we were able to run several thousand honeypots on just one physical machine.
More information is available at http://nepenthes.mwcollect.org
The idea behind this project is to establised a trusted community which aims at collecting malware. Every participant contributes data (e.g., malware collected with the help of nepenthes) and has then access to all data contributed by others. The central repository is now up and running and we have about 100 participants. More information is available at https://alliance.mwcollect.org
Advanced Honeynet-based Intrusion Detection
The goal of this project is to build a distributed Intrusion Detection System (IDS) based on nepenthes and Blast-O-Mat. The system should be capable of efficiently detecting offending hosts within the campus network and block network access of these machines. Moreover, it should include an alerting mechanism and a way to download patches to the blocked machines.
This research is carried out by Jan Göbel as part of his diploma thesis
nepenthes should work together with honeyd soon.
There are some issues left (UDP socket timeouts), though.
nepenthes interacts with the Sandbox by Norman and we are currently in the process of integrating it with CWSandbox.
We hope to automate the complete process of capturing a malware binary, analyzing it, and finally tracking the associated botnet. This will then be a tool for automated botnet detection and mitigation.
Eventually an integration of nepenthes with the Honeywall makes sense.
We had some discussions about this and wait until the next Honeywall with distributed capabilities is published.
A “Botnet Malware Analysis” course was given at the joint FIRST Technical
Colloquium and 17th TF-CSIRT meeting on January 25th, 2006 by Carlos
Fragoso (SHP member) in collaboration with Francisco Monserrat (IRIS-CERT).
It mainly described a behavioural and code-based analysis approach using
common open-source tools. It was a case-based approach using a real-world
specimen obtained from mwcollect/nephentes probes on the spanish national
We are going to continue HoneyMole development with new functionalities and improvements. Our honeypot farm concept will be used to deploy a central repository for malware detection with Nepenthes.