-
July 8th, 2008, 07:17 AM
#1
Member
capturing virus/botnet with honeypot...
I've decided to setup a honeypot to capture viruses/botnet to reverse engineer them and getting to know how the work, where they come from etc...for that I setup nepenthes running on ubuntu virtual machine, and I opened a hole on my firewall to that machine, pretty much redirecting all traffic that hits the firewall to the virtual box, in less than 3 hours I started to get hit with what appears to be botnet for DDos from ip address in China, but nepenthes sends the virus to a website for analysis, and the virus is no where to be found in the system.....instead I want to be able to capture and analyze them myself...does anyone know a better way to accomplish this?
Thanks in advance
-
July 8th, 2008, 01:54 PM
#2
Originally Posted by k_tech
I've decided to setup a honeypot to capture viruses/botnet to reverse engineer them and getting to know how the work, where they come from etc...for that I setup nepenthes running on ubuntu virtual machine, and I opened a hole on my firewall to that machine, pretty much redirecting all traffic that hits the firewall to the virtual box, in less than 3 hours I started to get hit with what appears to be botnet for DDos from ip address in China, but nepenthes sends the virus to a website for analysis, and the virus is no where to be found in the system.....instead I want to be able to capture and analyze them myself...does anyone know a better way to accomplish this?
Thanks in advance
Maybe check out a few of the Threads that Soda_Popinsky created.
Pharming
SMTP Relay Honeypot Tutorial
Google Hack Honeypot Results
Advanced Web Based Honeypot Techniques
Open proxy honeypots
Hopefully these linked thread may or maynot be of any use..
-
July 9th, 2008, 09:39 PM
#3
Hmmm, I guess you haven't got it set up right as it claims to collect malware for you:
http://nepenthes.mwcollect.org/documentation:readme
I started to get hit with what appears to be botnet for DDos from ip address in China, but nepenthes sends the virus to a website for analysis, and the virus is no where to be found in the system.
Why does it "appear to be botnet for DDoS". AFAIK a botnet is simply a collection of compromised machines.............. you can use them for anything you like?
Strictly speaking, I doubt if it was a "virus", as that sort of activity is a bit too promiscuous for botnets. More likely a worm or trojan from what I have seen over the past months.
Once again, I would suggest that you recheck the documentation and your settings for nepenthes, as it is certainly supposed to support local capture of malware. Sure, it will also try to send the information back to the project, but that is part of the idea of it?
Similar Threads
-
By Soda_Popinsky in forum The Security Tutorials Forum
Replies: 1
Last Post: November 12th, 2008, 10:42 PM
-
By Soda_Popinsky in forum The Security Tutorials Forum
Replies: 18
Last Post: December 6th, 2005, 10:18 AM
-
By alphabetarian in forum The Security Tutorials Forum
Replies: 8
Last Post: December 5th, 2005, 04:44 AM
-
By Soda_Popinsky in forum The Security Tutorials Forum
Replies: 7
Last Post: August 2nd, 2005, 04:39 PM
-
By sweet_angel in forum Firewall & Honeypot Discussions
Replies: 9
Last Post: January 23rd, 2003, 10:30 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|