Malware Honeypot Projects Merge

rebvend writes "eWeek is reporting that two of the biggest honeypot projects (mwcollect and nepenthes) have merged operations. A new meta-portal at mwcollect.org will become a top-level community covering malware collection efforts while nepenthes will become the official tool for malware collection."

Evolution

[Ritz_Just_Ritz]

Don't the malware folks get hip to the honeypots rather quickly or do they just unleash their plague and hope the hits overwhelm any setbacks from the honeypot?

Re:Evolution

[jsherman256]

Not the way that malware makers tend to do things. Just look at the Sony rootkit.

Re:Evolution

[spectre_240sx]

I don't know that I'd consider the sony root-kit malware. It's just piss poorly written software in my eyes.

Re:Evolution

[Trigun]

You mean m/OSS

No Windows version ?

[Anonymous Coward]

Ironic that you need Linux/BSD to collect malware for a Windows platform, wouldnt it make more sense to have a windows version too ?

Re:No Windows version ?

[WindBourne]

All that you really want is to emulate an opening enough to encourage a cracker/worm to show itself and what the attempt is. If you use Windows, there will be back doors that will be unknown and the honeypot will most likely be cracked. Something like *bsd or *nix is needed.

Re:No Windows version ?

[Anonymous Coward]

but most malware uses what are called "stub installers" which are usually small downloaders that call the rest of the malware components once infection has begun
sure you can use WINE but then all the cracker has to do is a
if(fileExists("c:\windows\system32\ntdll.dll")
execute(payload)

its probably quite trivial for the cracker to see wether the exploit is running in an (em|sim)ulated enviroment rather than the real thing (other than vmware)

Re:No Windows version ?

[WindBourne]

Back in 200[23], I was doing commercial (and federal) network manipulations on OC-48s (and other lines). One of my ideas was to use our highspeed tool to track all the packets as they went in to a "honeypot". We were going to use vmware on top of a modified linux. It made sense to go after malware on x86 (x86 accounts for more than 99% of the malware). Once we knew the exact signature of the unencrypted packets going back, we would simply replay this back on other points. The idea was to have a number of honeypots to obtain the signatures, but once we had the signatures, we could then do packet/stream manipulations while blocking any thing coming in. Basically, we could use this to track who was on the net and where they were originating from while mitigating the damage. Sadly, we got side-tracked on the federal systems so we did not do this work.

Greetings from the world of tomorrow!

[TCQuad]

Back in 200[23]

OMG, you're from the future?

And we use base-32 numbers in the future?

Man, that is such an appropriate interesting mod.

Re:No Windows version ?

[Ethan Allison]

[bob@honeypot: ~]$ touch /home/bob/.wine/drive_c/windows/system32/ntdll.dll

Re:No Windows version ?

[pembo13]

Do you realise how much that would cost? As I am sure you are aware, they would have to pay for each copy of Windows.

Re:No Windows version ?

[CsiDano]

While in college we had to create a honeynet and monitor it for our final semester. Knowing that watching a linux honeynet would be boring as hell we decided to create a windows honeynet with all monitoring done using linux machines. Since we were students, hence poor, we used windows and then just didn't activate the installs, that gave us thirty days of authorized use before having to clean wipe and re-install. This was a perfect situation as being a windows honeynet, infection never took more than 30 day

Hence Forth..

[Comatose51]

Hence forth, it shall be known as "Mega Jackpot!!!" (the ! is part of the name).

Bound to happen

[varmint jerky]

It was inevitable...they couldn't resist each other.

As Winnie the Pooh would say...

[__aaclcg7560]

... the biggest honeypot projects ...

Honey... oh my gracious...

MS Strider honeymonkey project

[Quirk]

I remembered MS running a honeypot project that /. reported on last year.

What Is Strider "HoneyMonkey"? [microsoft.com] is a differnet take on the problem. /. reported on the project... http://it.slashdot.org/article.pl?sid=05/05/18/224 0222 [slashdot.org]

Re:MS Strider honeymonkey project

[telax]

Do you mean www.microsoft.com? :) Didn't they have it on unix for quite a while? Can't remember.

Your powers combined....

[smaerd]

...I am CAPTAIN HARDRIVE!


Captain Hardrive
He's our hero
he's going to take malware
down to zero

The New Malware Team

[slashbob22]

To the tune of "The New Justice Team Theme" -- Futurama

Go, go, go New Malware Team
Go team, go team, team team team
Whose that newest Malware Team?
The New Malware Team

MW Collect is fast
Also it is from the past
Not just fast but from the past
MW Collect!

Nepenthes has all the powers of a King
Plus all the power of Superman,
Also it's a robot
Ain't it cool? Nepenthes you rule!

Hon-ney-pot beats you up
Ho-ney-pot beats you up
Who does it beat up? You!!
Hon-ney-pot!

Citizens, never fear
Crazy do-good f

Re:The New Malware Team

[Anonymous Coward]

Ouch - you know, I wish we had a "Slashdot" honeypot to collect "Sung to the tune of " references stories like this tend to collect.

Wait, is this thread the honeypot???.

I'm surely not the only slashdotter...

[PornMaster]

I'm surely not the only slashdotter who thinks that honeypot sounds like a euphemism for vagina, am I?

Re:I'm surely not the only slashdotter...

[Anonymous Coward]

It's funny that you say that... in the history of the word, it has a similar meaning.
http://en.wikipedia.org/wiki/Honeypot_(electronics ) [wikipedia.org]

The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey.

During the Cold War it was an espionage technique, which inspired spy fiction. The term "honeypot" was used to describe the use of sexual entrapment to gain information. In a common scen

Re:I'm surely not the only slashdotter...

[kent_eh]

GIS for Honeywagon [vancouver.bc.ca]
That's what we always called 'em when I was growing up on the farm.

Re:I'm surely not the only slashdotter...

[cloudmaster]

Wrong hole, man. Wrong hole.

Meaning of nepenthes

[EightMillion]

In case anyone was wondering, nepenthes is a genus of carnivorous or insectivorous pitcher plants. More information about them can be found here [wikipedia.org].

They're both doing the same thing...

[Deliveranc3]

So economies of scale is nice...

But possibilities of being paid off or court-ordered increase, which sucks.

Overall I'd say... net loss.

speaking of honeypots

[bobkoure]

Doesn't it seem obvious that spammers have their own honeypots (in order to harvest addresses from each other)? Of course, the advantage with a spammer's honey pot is that he/she doesn't have to worry about mitigating any damage - just let that spam spew through - so long as you get a copy of the addresses. Unless you think they all meet somewhere and trade/sell addresses...? What makes you think they treat each other honorably when they can just steal?