Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Evolutions in the honeypot/honeynet arena SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Evolutions in the honeypot/honeynet arena
Over the past days we have received some interesting links on the collection of malware using new variations on the honeypot theme.

Traditionally a honeypot was a (somewhat) vulnerable system that you let get infected in order to learn something form it. This newer breed is more an an automated system to catch malware without getting the system infected.

mwcollect ( is an automated downloader of malware. Georg Wicherski, mwcollect head developer, sent us some collected samples of his setup and I must say I'm still impressed by the number of collections he's sent us then.

Along the same lines is nepenthes ( a system that emulates known vulnerabilities in order to catch the exploits thrown at it.

Fellow handler Daniel Wesemann suggested a look at the Argos system, (, designed to detect arbitrary control flow and arbitrary code execution attacks. It is build on top of QEMU for the emulation of x86 processors.  I have one big gripe about the approach and that is the comment in the FAQ of QEMU (quoting):
Q: "I want to set up a honeypot. Can I use QEMU for that purpose ?"
A: "It is possible, but the QEMU code has not been reviewed for security issues."

With recent vulnerabilities in the commonly used vmware and the trend of malware detecting vmware and debugging, great care is needed to the quality and security of these tools. So my suggestion would be to carefully inspect the source code of any of these before deciding to deploy it, even for a test run.

There are for sure more efforts in this arena, I'm just summarizing what we received recently.
As always, use these systems at your own risk.

Collecting all these samples is however just the first step. Somebody needs to analyze it and with the increase of malware that race might be tough on some. See also Kevin Liston's on Dasher article.

Swa Frantzen

760 Posts
Dec 26th 2005

Sign Up for Free or Log In to start participating in the conversation!