Nepenthes

Nepenthes is a malware-collection tool. It emulates known vulnerabilities, and then downloads malware trying to exploit these vulnerabilities. Seems like a good idea for a research project.

Posted on July 24, 2006 at 1:25 PM • 8 Comments

Comments

talltimbersJuly 24, 2006 4:11 PM

I'm a big fan of these types of tools. Metasploit being the another serious one. I figure that the vendors get a lot of serious research and ideas from these sort of things without laying out any expense on their part. Never could understand why some vendors are so spooked by this and other tools that showing glaring weaknesses and bad design. Gee, what are they afraid of?

Jamie RidenJuly 24, 2006 4:11 PM

Nepenthes is a fantastic tool - a low-interaction honeypot for Windows-based malware. I've had it running on a couple of boxes for maybe 6 months now and it's accumulating a lot of Win32 nasties - everything from the latest {ago,rd,sd}bots to the old MSBlaster worm.

Even better, it's available as a debian package. Just apt-get nepenthes, tweak the configuration and you're ready to go.

TimJuly 25, 2006 3:23 AM

If, like me, you were wondering where the name 'Nepenthes' comes from, it turns out that it's the latin name of the carnivorous plant commonly known as the 'pitcher plant'.

anomineJuly 25, 2006 6:26 AM

"Never could understand why some vendors are so spooked by this and other tools that showing glaring weaknesses and bad design. Gee, what are they afraid of?"

My guess is that a lot of exec types think they can practice safe computing by setting their brains to "default deny" on anything related to "security". That way, they don't have to do any of that hard, nasty thinking.

Clive RobinsonJuly 27, 2006 11:54 AM

It's an interesting site, and has a nice little example of how to pull out ShellCode and reverse engineer it (to a point).

What I am not sure from the blurb is how well it does predictive stuff on "unknown" exploits (that contain known fragments as most do). However it appears that it should be run in HoneyPot mode so I guess it does not matter as all inbound is regarded as hostile in this case.

As it is sufficiently different to other Malware / intrusion detectors it has the advantage that it is likley to catch stuff that others might miss.

Definatly one to keep the old mark one eyeball on.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..