Whitepaper: The Nepenthes Platform: An Efficient Approach to Collect M alware

["Fergie" <fergdawg () netzero net>]

> From Thorsten Holz and the good folks over at Honeyblog.

[abstract]

Up to now, there is little empirically backed quantitative and
qualitative knowledge about self-replicating malware publicly
available. This hampers research in these topics because many
counter-strategies against malware, e.g., network- and host-based
intrusion detection systems, need hard empirical data to take full effect.

We present the nepenthes platform, a framework for large-scale
collection of information on self-replicating malware in the wild. The
basic principle of nepenthes is to emulate only the vulnerable parts of
a service. This leads to an efficient and effective solution that
offers many advantages compared to other honeypot-based solutions.
Furthermore, nepenthes offers a flexible deployment solution, leading
to even better scalability.

Using the nepenthes platform we and several other organizations were
able to greatly broaden the empirical basis of data available about
self-replicating malware and provide thousands of samples of previously
unknown malware to vendors of host-based IDS/anti-virus systems. This
greatly improves the detection rate of this kind of threat.

[snip]

Final paper:
http://honeyblog.org/junkyard/paper/collecting-malware-final.pdf

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.