A user sent us the picture of a virus using the rfc1918 address rewrite in nepenthes to detect the honeypot.
Even though it is a good idea to detect honeypots if you make money in internet crime, it is trivial to prevent for those running nepenthes:
Set replace_local_ips to 0 in nepenthes.conf
From what we could see from the screenshot, the attacking worm sends the honeypot a command to download a file with a special crafted path and a rfc1918 local ip address
Nepenthes accepts the download,
Link ftp://1:firstname.lastname@example.org:31021/nepdetect.exe has local address, replacing with real ip
replaces the ip with the attacks origin ip address, and
Replaced Address, new URL is ftp://xxx.yyy.zzz.145:31021/nepdetect.exe
downloads the file
Handler ftp download handler will download ftp://xxx.yyy.zzz.145:31021/nepdetect.exe
The attacking worm detects this behaviour and scores the host as a nepenthes honeypot.
In order to detect the honeypot, the attacking worm has to wait for a try to download the anti-honeypot-file, which means, for each vulnerable host, the worm has to wait for some seconds for the download before asking him to download the real file.
So, if you want to to protect your specism this from getting collected by a nepenthes honeypot, be aware of the performance impact when it comes to spreading your malware, and note that changing a nepenthes config value will screw it anyway.