Honeypots mailing list archives
kfSubSeven: new honeypot emulation of the ever popular SubSeven trojan server
From: "Tom Wright" <tom () keyfocus net>
Date: Tue, 11 Nov 2003 15:22:39 -0000
We have just released kfSubSeven, a honeypot emulation of the ever popular SubSeven trojan server. kfSubSeven behaves just like a real thing, but without the unpleasant consequences. It is a self contained application which is designed to work within a honeypot system, it will not work by itself. kfSubSeven is not part of the KFSensor system, but can be used to add to its capabilities. Unlike KFSensor, this application is released as open source under the GNU General Public License. kfSubSeven works well within KFSensor and should also work under Honeyd on Windows. If you want to use it on Linux or anything else, it will need a few changes to the code. Over 90% of the code is pure ANSI C, but there are a few Windows API calls that will need replacing to make it portable. Here are some of the kfSubSeven highlights: - Lets the client chat to the honeypot. SubSeven has a chat feature called 'The Matrix' that makes the victim's machine behave like it does in the film where Neo is first contacted. kfSubSeven quotes lines from the film back at the hacker. :-) - Lets the client browse the files on the computer - Lets the client upload files. These are placed in a secure area for later analysis. - Lets the client download files. These are special honey token files that you want people to see. - Lets the client obtain the systems passwords Of course none of the data the client can access is genuine. You can download both the pre-compiled exe, the source and all the supporting from files by going to http://www.keyfocus.net/kfsensor/ and then selecting the Extras sub-menu. If you don't run you own honeypot then there is an attack log of a real SubSeven attack that you might find interesting. http://www.keyfocus.net/kfsensor/extras/subsevenexample1.php We have a lot of fun with kfSubSeven, already we have captured 8 pieces of malware with no anti-virus signature. We would welcome any comments and code enhancements or attack logs. - Tom Wright www.keyfocus.net
Current thread:
- kfSubSeven: new honeypot emulation of the ever popular SubSeven trojan server Tom Wright (Nov 11)