There are several scripts to emulate services
from IIS, to telnet, to ftp, to others. The tool is quite effective at detecting scans and
very basic malware. However, the glass ceiling is quite evident if the attacker or worm
attempts to do too much.
Nepenthes
Nepenthes is a newcomer to the scene and was merged with the mwcollect project to
form quite an impressive tool. The value in this tool over Honeyd is that the glass ceiling
is much, much higher. Nepenthes employs several techniques to better emulate services
and thereby extract more information from the attacker or worm. The system is built to
extract binaries from malware for further analysis and can even execute many common
system calls that shellcode makes to download secondary stages, and so on. The system
is built on a set of modules that process protocols and shellcode.
High-Interaction Honeypots
High-interaction honeypots, on the other hand, are often actual virgin builds of operating
systems with few to no patches and may be fully compromised by the attacker. Highinteraction
honeypots require a high level of supervision, as the attacker has full control
over the honeypot and can do with it as he will. Often, high-interaction honeypots are
used in a research role instead of a production role.
Pages:
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880