Re: botnet logs

[Valdis.Kletnieks () vt edu]

On Sat, 15 Nov 2008 13:20:21 +0100, Nathan said:
> I have to make a brief presentation about honeypots and botnets
> relation. I chose honeyd as an example honeypot, i am already running
> it, but due to limited ip resources and short time, I wasn't able to
> gather any valueable information.
> I would be pleased, if anyone could send me a honeyd log of a botnet
> attack (ddos or infecting).

I think you're just a tad confused.  For the honeyd log to show anything on
the attack side, one of two things has to be true:

1) The honeyd is being attacked by a botnet.  This is a challenge because
you have to draw the botnet's attention to the honeypot and make them attack
it - usually the botnet is busy doing other stuff.

2) The honeyd is running on a host that's part of a botnet.  For this to
happen, first it has to be botted into the net - and then the owners of the
honeyd have to allow it to participate in the attack, which is somewhat
morally ambiguous (unless you let it attack but then firewall off the
attack packets along the way).

You're unlikely to find many honeyd logs of a botnet trying to infect a host,
because enough hosts are running Windows XP SP2 or other operating systems
that have a sane firewall by default, so we probably won't see many more
CodeRed/Nimda type worms anymore.

Your best bet is to run honeyd on a host, and then visit a webpage that
has a malware injector on it and capture that. You probably want to run
a tcpdump or other packet-capture program as well to catch the raw network
traffic.

Fortunately, Google is nice enough to mark links that might be malware,
you should try visiting those with a sacrificial-goat machine and let
honeyd and tcpdump record what happens...

Attachment: _bin
Description: