Finally, after almost 2 quarters of waiting (at least for me), the BOT Honeypot is now up and running. We’ve finally acquired the DSL line (which was the only thing missing) so now we are able to test/improve the system. So far after more than a day of being online, we’ve acquired around 10-20 (i’ve lost count of the actual submissions versus the samples received hehehe). Here’s a piece of the action:
Yes, i deliberately did not include the Subject and the From/To addresses. And i won’t explain why.
Every 10 minutes, the system sends an email (to TMIRT) on the acquired samples still undetected by the latest CPR. Any BU takers for the BOT honeypot (same as the smallpot hehe)? :D
The supposed “details” page within this site is outdated and i’ll probably update it within the week (hopefully before my evil-procrastinating twin takes over). If you do want to set this up in your BU, here are the minimum requirements (and do email us if you want the details – if i haven’t updated the site yet hehehe):
Yes, i deliberately did not include the Subject and the From/To addresses. And i won’t explain why.
Every 10 minutes, the system sends an email (to TMIRT) on the acquired samples still undetected by the latest CPR. Any BU takers for the BOT honeypot (same as the smallpot hehe)? :D
The supposed “details” page within this site is outdated and i’ll probably update it within the week (hopefully before my evil-procrastinating twin takes over). If you do want to set this up in your BU, here are the minimum requirements (and do email us if you want the details – if i haven’t updated the site yet hehehe):
- Pentium 4 machine
- Minimum 80 Gig HD
- 1G memory
- DSL line with 2 static IP’s
- Sygate Personal Firewall
- VMWare 5.0 (yes, 5.0) / Windows XP Pro SP2 for the Host OS, Windows XP Pro SP0 for the Guest OS
Update (JJ, 09 November 2005 22:09:51)
And what’s the difference with my setup as compared to Nepenthes and MWcollect? Actually, I started out by trying to install these programs but of course, i failed, got frustrated, and decided to create my own hehehe.
So what’s the difference, you say again?
Nepenthes and MWCollect EMULATE the ports/services as well as the shellcodes to get the actual worm. The drawback that I see in this is that for NEW exploits, they won’t be able to get it since it is not in their emulator. The basis for doing this is to make the system hosting the program immune to the attacks:
MWCollect: “The mwcollect daemon mwcollectd opens ports that are known to be commonly exploited by Malware and simulates certain known vulnerabilities on them.”
Nepenthes:”It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.”
Well I say:
“Why not expose a REAL OS, so that when a worm that uses a new/UNIDENTIFIED exploit attacks the honeypot, we can still get the sample?” (desperately trying to justify my implementation hehehehe)
And, to prevent the honeypot from attacking other systems (which may have some legal issues depending on which country), we setup a firewall with specific rules to allow all bad packets in, and drop all outgoing bad packets. Really not a revolutionary idea as some other people already have this kind of setup hehehehehe (i forget the link as of this moment).
Anyway, I’ll be releasing the details within this week (still have to fight with my evil-procrastinating twin and organize my thoughts) which covers other questions such as… ehrm… how does it work? and stuff.
So what’s the difference, you say again?
Nepenthes and MWCollect EMULATE the ports/services as well as the shellcodes to get the actual worm. The drawback that I see in this is that for NEW exploits, they won’t be able to get it since it is not in their emulator. The basis for doing this is to make the system hosting the program immune to the attacks:
MWCollect: “The mwcollect daemon mwcollectd opens ports that are known to be commonly exploited by Malware and simulates certain known vulnerabilities on them.”
Nepenthes:”It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.”
Well I say:
“Why not expose a REAL OS, so that when a worm that uses a new/UNIDENTIFIED exploit attacks the honeypot, we can still get the sample?” (desperately trying to justify my implementation hehehehe)
And, to prevent the honeypot from attacking other systems (which may have some legal issues depending on which country), we setup a firewall with specific rules to allow all bad packets in, and drop all outgoing bad packets. Really not a revolutionary idea as some other people already have this kind of setup hehehehehe (i forget the link as of this moment).
Anyway, I’ll be releasing the details within this week (still have to fight with my evil-procrastinating twin and organize my thoughts) which covers other questions such as… ehrm… how does it work? and stuff.