Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

kfSubSeven: new honeypot emulation of the ever popular SubSeven trojan server

From: "Tom Wright" <tom () keyfocus net>
Date: Tue, 11 Nov 2003 15:22:39 -0000
We have just released kfSubSeven, a honeypot emulation of the ever popular
SubSeven trojan server.

kfSubSeven behaves just like a real thing, but without the unpleasant
consequences.

It is a self contained application which is designed to work within a
honeypot system, it will not work by itself.
kfSubSeven is not part of the KFSensor system, but can be used to add to its
capabilities.
Unlike KFSensor, this application is released as open source under the GNU
General Public License.
kfSubSeven works well within KFSensor and should also work under Honeyd on
Windows.
If you want to use it on Linux or anything else, it will need a few changes
to the code.
Over 90% of the code is pure ANSI C, but there are a few Windows API calls
that will need replacing to make it portable.

Here are some of the kfSubSeven highlights:
    - Lets the client chat to the honeypot.
        SubSeven has a chat feature called 'The Matrix' that makes the
victim's machine behave like it does in the film where Neo is first
contacted. kfSubSeven quotes lines from the film back at the hacker. :-)
    - Lets the client browse the files on the computer
    - Lets the client upload files. These are placed in a secure area for
later analysis.
    - Lets the client download files. These are special honey token files
that you want people to see.
    - Lets the client obtain the systems passwords

Of course none of the data the client can access is genuine.

You can download both the pre-compiled exe, the source and all the
supporting from files by going to
http://www.keyfocus.net/kfsensor/
and then selecting the Extras sub-menu.

If you don't run you own honeypot then there is an attack log of a real
SubSeven attack that you might find interesting.
http://www.keyfocus.net/kfsensor/extras/subsevenexample1.php

We have a lot of fun with kfSubSeven, already we have captured 8 pieces of
malware with no anti-virus signature.

We would welcome any comments and code enhancements or attack logs.

- Tom Wright
www.keyfocus.net
Previous By Date Next
Previous By Thread Next

Current thread: