Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malware Honeypot Projects Merge

CowboyNeal posted more than 8 years ago | from the two-great-tastes dept.

45

rebvend writes "eWeek is reporting that two of the biggest honeypot projects (mwcollect and nepenthes) have merged operations. A new meta-portal at mwcollect.org will become a top-level community covering malware collection efforts while nepenthes will become the official tool for malware collection."

cancel ×

45 comments

Sorry! There are no comments related to the filter you selected.

FP (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14789450)

FP

malware honeypots!! (0)

Anonymous Coward | more than 8 years ago | (#14789454)

think of all the porn they have to surf through!

Ask Slashdot: (1)

master_meio (834537) | more than 8 years ago | (#14789456)

Why do mentally-handicapped nerds seem to be incapable of writing anything other than point-by-point rebuttals? Is this an Aspergers thing? Is it too much to ask, that you autistic computer weenies take an introductory english composition class? If your ideas have to be propped up with quoted text, they aren't very good ones.

Re:aspergers (-1, Offtopic)

Douglas Simmons (628988) | more than 8 years ago | (#14789615)

I get my boxer shorts at K-Mart in Cincinatti. Gotta get my boxer shorts at K-Mart.

Re:aspergers (-1, Offtopic)

SpinJaunt (847897) | more than 8 years ago | (#14789634)

hmmm.. I get my "boxer shorts" from Debenhams. then again this is totally off-topic =P

Re:aspergers (-1, Redundant)

Douglas Simmons (628988) | more than 8 years ago | (#14789792)

He made a remark about Aspergers which is related to autism and I was doing a Rainman quote.... nevermind.

Re:aspergers (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14789862)

I have aspergers and I get my boxer shorts at K-Mart you insensitive clod!

Evolution (2, Insightful)

Ritz_Just_Ritz (883997) | more than 8 years ago | (#14789458)

Don't the malware folks get hip to the honeypots rather quickly or do they just unleash their plague and hope the hits overwhelm any setbacks from the honeypot?

Re:Evolution (1)

jsherman256 (921052) | more than 8 years ago | (#14789469)

Not the way that malware makers tend to do things. Just look at the Sony rootkit.

Re:Evolution (1)

spectre_240sx (720999) | more than 8 years ago | (#14789899)

I don't know that I'd consider the sony root-kit malware. It's just piss poorly written software in my eyes.

Re:Evolution (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14789559)

Maybe malware should free itself from intelligent design and rewrite small parts of its code randomly in the hope that the successful rewrites will dominate and the weaker incarnations will die out.

Re:Evolution (0)

Anonymous Coward | more than 8 years ago | (#14789600)

and in a few hundred million years we might have some moss

Re:Evolution (1)

Trigun (685027) | more than 8 years ago | (#14790031)

You mean m/OSS

No Windows version ? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14789481)


Ironic that you need Linux/BSD to collect malware for a Windows platform, wouldnt it make more sense to have a windows version too ?

Re:No Windows version ? (4, Insightful)

WindBourne (631190) | more than 8 years ago | (#14789510)

All that you really want is to emulate an opening enough to encourage a cracker/worm to show itself and what the attempt is. If you use Windows, there will be back doors that will be unknown and the honeypot will most likely be cracked. Something like *bsd or *nix is needed.

Re:No Windows version ? (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14789571)


but most malware uses what are called "stub installers" which are usually small downloaders that call the rest of the malware components once infection has begun
sure you can use WINE but then all the cracker has to do is a
if(fileExists("c:\windows\system32\ntdll.dll")
execute(payload)

its probably quite trivial for the cracker to see wether the exploit is running in an (em|sim)ulated enviroment rather than the real thing (other than vmware)

Re:No Windows version ? (0)

Anonymous Coward | more than 8 years ago | (#14789681)

I think you're giving most malware authors too much credit.

And wouldn't they still at least get the stub?

Re:No Windows version ? (3, Interesting)

WindBourne (631190) | more than 8 years ago | (#14789683)

Back in 200[23], I was doing commercial (and federal) network manipulations on OC-48s (and other lines). One of my ideas was to use our highspeed tool to track all the packets as they went in to a "honeypot". We were going to use vmware on top of a modified linux. It made sense to go after malware on x86 (x86 accounts for more than 99% of the malware). Once we knew the exact signature of the unencrypted packets going back, we would simply replay this back on other points. The idea was to have a number of honeypots to obtain the signatures, but once we had the signatures, we could then do packet/stream manipulations while blocking any thing coming in. Basically, we could use this to track who was on the net and where they were originating from while mitigating the damage. Sadly, we got side-tracked on the federal systems so we did not do this work.

Greetings from the world of tomorrow! (1)

TCQuad (537187) | more than 8 years ago | (#14792881)

Back in 200[23]

OMG, you're from the future?

And we use base-32 numbers in the future?

Man, that is such an appropriate interesting mod.

Re:No Windows version ? (3, Informative)

Ethan Allison (904983) | more than 8 years ago | (#14789701)

[bob@honeypot: ~]$ touch /home/bob/.wine/drive_c/windows/system32/ntdll.dll

Re:No Windows version ? (0)

Anonymous Coward | more than 8 years ago | (#14789623)

Of course not. Why risk infection while trying to collect specimens? Same reason a nurse puts on sterile gloves before doing blood work. But I guess that's giving safety in both directions.

Re:No Windows version ? (1)

pembo13 (770295) | more than 8 years ago | (#14790799)

Do you realise how much that would cost? As I am sure you are aware, they would have to pay for each copy of Windows.

Re:No Windows version ? (1)

CsiDano (807071) | more than 8 years ago | (#14791906)

While in college we had to create a honeynet and monitor it for our final semester. Knowing that watching a linux honeynet would be boring as hell we decided to create a windows honeynet with all monitoring done using linux machines. Since we were students, hence poor, we used windows and then just didn't activate the installs, that gave us thirty days of authorized use before having to clean wipe and re-install. This was a perfect situation as being a windows honeynet, infection never took more than 30 days.

Hence Forth.. (1)

Comatose51 (687974) | more than 8 years ago | (#14789587)

Hence forth, it shall be known as "Mega Jackpot!!!" (the ! is part of the name).

Bound to happen (4, Funny)

varmint jerky (810306) | more than 8 years ago | (#14789622)

It was inevitable...they couldn't resist each other.

Oh server why are you not there? (0)

Anonymous Coward | more than 8 years ago | (#14789656)

Slashdot - Malware providers server take down provider

As Winnie the Pooh would say... (1)

creimer (824291) | more than 8 years ago | (#14789671)

... the biggest honeypot projects ...

Honey... oh my gracious...

MS Strider honeymonkey project (4, Informative)

Quirk (36086) | more than 8 years ago | (#14789679)

I remembered MS running a honeypot project that /. reported on last year.

What Is Strider "HoneyMonkey"? [microsoft.com] is a differnet take on the problem. /. reported on the project... http://it.slashdot.org/article.pl?sid=05/05/18/224 0222 [slashdot.org]

Re:MS Strider honeymonkey project (1)

telax (653371) | more than 8 years ago | (#14791273)

Do you mean www.microsoft.com? :) Didn't they have it on unix for quite a while? Can't remember.

In other news... (0)

Anonymous Coward | more than 8 years ago | (#14789744)

Linux is STILL for fags.

Your powers combined.... (2, Funny)

smaerd (954708) | more than 8 years ago | (#14789752)

...I am CAPTAIN HARDRIVE!


Captain Hardrive
He's our hero
he's going to take malware
down to zero

The New Malware Team (1)

slashbob22 (918040) | more than 8 years ago | (#14789897)

To the tune of "The New Justice Team Theme" -- Futurama

Go, go, go New Malware Team
Go team, go team, team team team
Whose that newest Malware Team?
The New Malware Team

MW Collect is fast
Also it is from the past
Not just fast but from the past
MW Collect!

Nepenthes has all the powers of a King
Plus all the power of Superman,
Also it's a robot
Ain't it cool? Nepenthes you rule!

Hon-ney-pot beats you up
Ho-ney-pot beats you up
Who does it beat up? You!!
Hon-ney-pot!

Citizens, never fear
Crazy do-good freaks are here
Until they run out of steam...
Merger cream, merger cream

Gives the power to the team
Its effects wear off for sure
So they just merge with some more
The New Malware Team!

Re:The New Malware Team (1, Funny)

Anonymous Coward | more than 8 years ago | (#14790065)

Ouch - you know, I wish we had a "Slashdot" honeypot to collect "Sung to the tune of " references stories like this tend to collect.

Wait, is this thread the honeypot???.

I'm surely not the only slashdotter... (1)

PornMaster (749461) | more than 8 years ago | (#14790273)

I'm surely not the only slashdotter who thinks that honeypot sounds like a euphemism for vagina, am I?

Re:I'm surely not the only slashdotter... (1, Informative)

Anonymous Coward | more than 8 years ago | (#14790381)

It's funny that you say that... in the history of the word, it has a similar meaning.
http://en.wikipedia.org/wiki/Honeypot_(electronics ) [wikipedia.org]

The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey.

During the Cold War it was an espionage technique, which inspired spy fiction. The term "honeypot" was used to describe the use of sexual entrapment to gain information. In a common scenario, a pretty female Communist agent would trick a male Western official into handing over secret information.

An alternative explanation for the term is a reflection of the sarcastic term for outhouses and other methods of collecting feces and other human waste in places that lack indoor plumbing. Honey is a euphemism for such waste, which is kept in a honeypot until it is picked up by a honey wagon and taken to a disposal area. In this usage, attackers are the equivalent of flies, drawn by the stench of sewage.

Re:I'm surely not the only slashdotter... (1)

kent_eh (543303) | more than 8 years ago | (#14790838)

GIS for Honeywagon [vancouver.bc.ca]
That's what we always called 'em when I was growing up on the farm.

Re:I'm surely not the only slashdotter... (1)

cloudmaster (10662) | more than 8 years ago | (#14793554)

Wrong hole, man. Wrong hole.

Re:I'm surely not the only slashdotter... (0)

Anonymous Coward | more than 8 years ago | (#14796211)

the British children's character Winnie-the-Pooh


Wasn't Winnie the Pooh Canadian? From Winnipeg?

Meaning of nepenthes (1)

EightMillion (657319) | more than 8 years ago | (#14790606)

In case anyone was wondering, nepenthes is a genus of carnivorous or insectivorous pitcher plants. More information about them can be found here [wikipedia.org] .

Re:Meaning of nepenthes (0)

Anonymous Coward | more than 8 years ago | (#14791932)

No, we weren't :-)

Re:Meaning of nepenthes (0)

Anonymous Coward | more than 8 years ago | (#14794465)

Just for the ultra curious, nepenthes also features in Greek mythology, as in 'I will drink the nepenthes (that's neh-pen-theez) of the waters of Lethe'. It was a sleeping draught which brought forgetfulness - in the Odyssey, Helen was given 'nepenthes pharmakon' to ease her troubled mind over the whereabouts of her man.

They're both doing the same thing... (1)

Deliveranc3 (629997) | more than 8 years ago | (#14791022)

So economies of scale is nice...

But possibilities of being paid off or court-ordered increase, which sucks.

Overall I'd say... net loss.

reason for merge (0)

Anonymous Coward | more than 8 years ago | (#14791878)

They just couldn't afford two second level domains.

speaking of honeypots (1)

bobkoure (701950) | more than 8 years ago | (#14798669)

Doesn't it seem obvious that spammers have their own honeypots (in order to harvest addresses from each other)? Of course, the advantage with a spammer's honey pot is that he/she doesn't have to worry about mitigating any damage - just let that spam spew through - so long as you get a copy of the addresses. Unless you think they all meet somewhere and trade/sell addresses...? What makes you think they treat each other honorably when they can just steal?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>