capturing virus/botnet with honeypot...

[k_tech]

I've decided to setup a honeypot to capture viruses/botnet to reverse engineer them and getting to know how the work, where they come from etc...for that I setup nepenthes running on ubuntu virtual machine, and I opened a hole on my firewall to that machine, pretty much redirecting all traffic that hits the firewall to the virtual box, in less than 3 hours I started to get hit with what appears to be botnet for DDos from ip address in China, but nepenthes sends the virus to a website for analysis, and the virus is no where to be found in the system.....instead I want to be able to capture and analyze them myself...does anyone know a better way to accomplish this?


Thanks in advance

[t34b4g5]

I've decided to setup a honeypot to capture viruses/botnet to reverse engineer them and getting to know how the work, where they come from etc...for that I setup nepenthes running on ubuntu virtual machine, and I opened a hole on my firewall to that machine, pretty much redirecting all traffic that hits the firewall to the virtual box, in less than 3 hours I started to get hit with what appears to be botnet for DDos from ip address in China, but nepenthes sends the virus to a website for analysis, and the virus is no where to be found in the system.....instead I want to be able to capture and analyze them myself...does anyone know a better way to accomplish this?


Thanks in advance

Maybe check out a few of the Threads that Soda_Popinsky created.

Pharming

SMTP Relay Honeypot Tutorial

Google Hack Honeypot Results

Advanced Web Based Honeypot Techniques

Open proxy honeypots

Hopefully these linked thread may or maynot be of any use..

[nihil]

Hmmm, I guess you haven't got it set up right as it claims to collect malware for you:

http://nepenthes.mwcollect.org/documentation:readme

I started to get hit with what appears to be botnet for DDos from ip address in China, but nepenthes sends the virus to a website for analysis, and the virus is no where to be found in the system.

Why does it "appear to be botnet for DDoS". AFAIK a botnet is simply a collection of compromised machines.............. you can use them for anything you like?

Strictly speaking, I doubt if it was a "virus", as that sort of activity is a bit too promiscuous for botnets. More likely a worm or trojan from what I have seen over the past months.

Once again, I would suggest that you recheck the documentation and your settings for nepenthes, as it is certainly supposed to support local capture of malware. Sure, it will also try to send the information back to the project, but that is part of the idea of it?