Abstract
Up to now, there is little empirically backed quantitative and qualitative knowledge about self-replicating malware publicly available. This hampers research in these topics because many counter-strategies against malware, e.g., network- and host-based intrusion detection systems, need hard empirical data to take full effect.
We present the nepenthes platform, a framework for large-scale collection of information on self-replicating malware in the wild. The basic principle of nepenthes is to emulate only the vulnerable parts of a service. This leads to an efficient and effective solution that offers many advantages compared to other honeypot-based solutions. Furthermore, nepenthes offers a flexible deployment solution, leading to even better scalability. Using the nepenthes platform we and several other organizations were able to greatly broaden the empirical basis of data available about self-replicating malware and provide thousands of samples of previously unknown malware to vendors of host-based IDS/anti-virus systems. This greatly improves the detection rate of this kind of threat.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proceedings of the 14th USENIX Security Symposium (2005)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (2005)
Balas, E., Viecco, C.: Towards a Third Generation Data Capture Architecture for Honeynets. In: Proceeedings of the 6th IEEE Information Assurance Workshop, West Point. IEEE, Los Alamitos (2005)
Team Cymru: The Darknet Project. Internet (accessed 2006), http://www.cymru.com/Darknet/
Dagon, D., Zou, C., Lee, W.: Modeling Botnet Propagation Using Time Zones. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS 2006) (2006)
Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)
Holz, T.: A Short Visit to the Bot Zoo. IEEE Security & Privacy 3(3), 76–79 (2005)
Holz, T.: Spying With Bots. USENIX; login 30(6), 18–23 (2005)
Jiang, X., Xu, D.: Collapsar: A vm-based architecture for network attack detention center. In: Proceedings of 13th USENIX Security Symposium (2004)
McCarty, B.: Automated Identity Theft. IEEE Security & Privacy 1(5), 89–92 (2003)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network Telescopes. Technical Report TR-2004-04, CAIDA (2004)
Moore, D., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. In: Proceedings of the 10th USENIX Security Symposium (August 2001)
Portokalidis, G.: Argos: An Emulator for Capturing Zero-Day Attacks. Internet (accessed 2006), http://www.few.vu.nl/~porto/argos/
Provos, N.: A Virtual Honeypot Framework. In: Proceedings of 13th USENIX Security Symposium, pp. 1–14 (2004)
Rajab, M.A., Terzis, A.: On the Effectiveness of Distributed Worm Monitoring. In: Proceedings of the 14th USENIX Security Symposium (2005)
Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of Passive Internet Threat Monitors. In: Proceedings of the 14th USENIX Security Symposium (2005)
Staniford, S., Moore, D., Paxson, V., Weaver, N.: The Top Speed of Flash Worms. In: ACM Workshop on Rapid Malcode (WORM) (2004)
Symantec. Mantrap. Internet (accessed, 2006), http://www.symantec.com/
Vanderavero, N., Brouckaert, X., Bonaventure, O., Le Charlier, B.: The HoneyTank: a scalable approach to collect malicious Internet traffic. In: Proceedings of the International Infrastructure Survivability Workshop (2004)
Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. In: Proceedings of the ACM Symposium on Operating System Principles (SOSP) (2005)
Wang, K.: Honeyclient. Internet (accessed, 2006), http://honeyclient.org
Wang, Y.-M., Beck, D., Verbowski, C., Chen, S., King, S., Jiang, X., Roussev, R.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: Proceedings of the 13th Network and Distributed System Security Symposium (NDSS 2006) (2006)
Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F. (2006). The Nepenthes Platform: An Efficient Approach to Collect Malware. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_9
Download citation
DOI: https://doi.org/10.1007/11856214_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-39723-6
Online ISBN: 978-3-540-39725-0
eBook Packages: Computer ScienceComputer Science (R0)