Forgot your password?
typodupeerror

Malware Honeypot Projects Merge 45

Posted by CowboyNeal
from the two-great-tastes dept.
rebvend writes "eWeek is reporting that two of the biggest honeypot projects (mwcollect and nepenthes) have merged operations. A new meta-portal at mwcollect.org will become a top-level community covering malware collection efforts while nepenthes will become the official tool for malware collection."
This discussion has been archived. No new comments can be posted.

Malware Honeypot Projects Merge

Comments Filter:
  • Evolution (Score:3, Insightful)

    by Ritz_Just_Ritz (883997) on Thursday February 23, 2006 @08:54PM (#14789458)
    Don't the malware folks get hip to the honeypots rather quickly or do they just unleash their plague and hope the hits overwhelm any setbacks from the honeypot?

  • by Anonymous Coward

    Ironic that you need Linux/BSD to collect malware for a Windows platform, wouldnt it make more sense to have a windows version too ?

    • by WindBourne (631190) on Thursday February 23, 2006 @09:06PM (#14789510) Journal
      All that you really want is to emulate an opening enough to encourage a cracker/worm to show itself and what the attempt is. If you use Windows, there will be back doors that will be unknown and the honeypot will most likely be cracked. Something like *bsd or *nix is needed.
      • by Anonymous Coward

        but most malware uses what are called "stub installers" which are usually small downloaders that call the rest of the malware components once infection has begun
        sure you can use WINE but then all the cracker has to do is a
        if(fileExists("c:\windows\system32\ntdll.dll")
        execute(payload)

        its probably quite trivial for the cracker to see wether the exploit is running in an (em|sim)ulated enviroment rather than the real thing (other than vmware)

        • by WindBourne (631190) on Thursday February 23, 2006 @09:47PM (#14789683) Journal
          Back in 200[23], I was doing commercial (and federal) network manipulations on OC-48s (and other lines). One of my ideas was to use our highspeed tool to track all the packets as they went in to a "honeypot". We were going to use vmware on top of a modified linux. It made sense to go after malware on x86 (x86 accounts for more than 99% of the malware). Once we knew the exact signature of the unencrypted packets going back, we would simply replay this back on other points. The idea was to have a number of honeypots to obtain the signatures, but once we had the signatures, we could then do packet/stream manipulations while blocking any thing coming in. Basically, we could use this to track who was on the net and where they were originating from while mitigating the damage. Sadly, we got side-tracked on the federal systems so we did not do this work.
        • [bob@honeypot: ~]$ touch /home/bob/.wine/drive_c/windows/system32/ntdll.dll
    • Do you realise how much that would cost? As I am sure you are aware, they would have to pay for each copy of Windows.
      • While in college we had to create a honeynet and monitor it for our final semester. Knowing that watching a linux honeynet would be boring as hell we decided to create a windows honeynet with all monitoring done using linux machines. Since we were students, hence poor, we used windows and then just didn't activate the installs, that gave us thirty days of authorized use before having to clean wipe and re-install. This was a perfect situation as being a windows honeynet, infection never took more than 30 day
  • Hence forth, it shall be known as "Mega Jackpot!!!" (the ! is part of the name).
  • by varmint jerky (810306) on Thursday February 23, 2006 @09:34PM (#14789622)
    It was inevitable...they couldn't resist each other.
  • ... the biggest honeypot projects ...

    Honey... oh my gracious...
  • by Quirk (36086) on Thursday February 23, 2006 @09:46PM (#14789679) Homepage Journal
    I remembered MS running a honeypot project that /. reported on last year.

    What Is Strider "HoneyMonkey"? [microsoft.com] is a differnet take on the problem. /. reported on the project... http://it.slashdot.org/article.pl?sid=05/05/18/224 0222 [slashdot.org]

  • ...I am CAPTAIN HARDRIVE!


    Captain Hardrive
    He's our hero
    he's going to take malware
    down to zero
  • To the tune of "The New Justice Team Theme" -- Futurama

    Go, go, go New Malware Team
    Go team, go team, team team team
    Whose that newest Malware Team?
    The New Malware Team

    MW Collect is fast
    Also it is from the past
    Not just fast but from the past
    MW Collect!

    Nepenthes has all the powers of a King
    Plus all the power of Superman,
    Also it's a robot
    Ain't it cool? Nepenthes you rule!

    Hon-ney-pot beats you up
    Ho-ney-pot beats you up
    Who does it beat up? You!!
    Hon-ney-pot!

    Citizens, never fear
    Crazy do-good f
    • by Anonymous Coward
      Ouch - you know, I wish we had a "Slashdot" honeypot to collect "Sung to the tune of " references stories like this tend to collect.

      Wait, is this thread the honeypot???.
  • I'm surely not the only slashdotter who thinks that honeypot sounds like a euphemism for vagina, am I?
  • In case anyone was wondering, nepenthes is a genus of carnivorous or insectivorous pitcher plants. More information about them can be found here [wikipedia.org].

  • So economies of scale is nice...

    But possibilities of being paid off or court-ordered increase, which sucks.

    Overall I'd say... net loss.
  • Doesn't it seem obvious that spammers have their own honeypots (in order to harvest addresses from each other)? Of course, the advantage with a spammer's honey pot is that he/she doesn't have to worry about mitigating any damage - just let that spam spew through - so long as you get a copy of the addresses. Unless you think they all meet somewhere and trade/sell addresses...? What makes you think they treat each other honorably when they can just steal?

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...