A week ago I decided to install a honeypot at home in order to get some malware samples running in the wild.
I used nepenthes as recommended by the shadowserver foundation and I found it’s extremely straightforward to install and has a very small footprint. Check this uptime and load info:

root@bt:/mnt/sdcard/nepenthes/binaries# uptime
13:30:04 up 7 days, 14:15, 1 user, load average: 0.08, 0.02, 0.01

I hadn’t time yet to properly configure it but the default install captures the binaries send to the different ports (imitating a service) by the worms and store them for later analysis. After a week I have captured 66 different samples already. Not bad…

root@bt:/mnt/sdcard/nepenthes/binaries# ls -l | grep -v total | wc -l
66

A remarkable feature is the automatic send of the binaries to an online sandbox, where they will be executed and analyzed.

I will be giving a talk in November at Backtrack Day 2010 (Germany) about reverse engineering Malware. Now I just need to check my binaries directory and find a good sample for it!

« »