Nepenthes
Nepenthes is a malware-collection tool. It emulates known vulnerabilities, and then downloads malware trying to exploit these vulnerabilities. Seems like a good idea for a research project.
Comments
talltimbers • July 24, 2006 4:11 PM
I’m a big fan of these types of tools. Metasploit being the another serious one. I figure that the vendors get a lot of serious research and ideas from these sort of things without laying out any expense on their part. Never could understand why some vendors are so spooked by this and other tools that showing glaring weaknesses and bad design. Gee, what are they afraid of?
Jamie Riden • July 24, 2006 4:11 PM
Nepenthes is a fantastic tool – a low-interaction honeypot for Windows-based malware. I’ve had it running on a couple of boxes for maybe 6 months now and it’s accumulating a lot of Win32 nasties – everything from the latest {ago,rd,sd}bots to the old MSBlaster worm.
Even better, it’s available as a debian package. Just apt-get nepenthes, tweak the configuration and you’re ready to go.
nepenthesdev • July 25, 2006 2:11 AM
you may want to have a look on
http://honeytrap.sf.net
too
Tim • July 25, 2006 3:23 AM
If, like me, you were wondering where the name ‘Nepenthes’ comes from, it turns out that it’s the latin name of the carnivorous plant commonly known as the ‘pitcher plant’.
anomine • July 25, 2006 6:26 AM
“Never could understand why some vendors are so spooked by this and other tools that showing glaring weaknesses and bad design. Gee, what are they afraid of?”
My guess is that a lot of exec types think they can practice safe computing by setting their brains to “default deny” on anything related to “security”. That way, they don’t have to do any of that hard, nasty thinking.
Brandon • July 27, 2006 1:15 AM
Honestly, I can’t understand the word Nepenthes.
Clive Robinson • July 27, 2006 11:54 AM
It’s an interesting site, and has a nice little example of how to pull out ShellCode and reverse engineer it (to a point).
What I am not sure from the blurb is how well it does predictive stuff on “unknown” exploits (that contain known fragments as most do). However it appears that it should be run in HoneyPot mode so I guess it does not matter as all inbound is regarded as hostile in this case.
As it is sufficiently different to other Malware / intrusion detectors it has the advantage that it is likley to catch stuff that others might miss.
Definatly one to keep the old mark one eyeball on.
Subscribe to comments on this entry
Leave a comment
← Hacked MySpace Server Infects a Million Computers with Malware Surgical Equipment to Contain RFID →
Sidebar photo of Bruce Schneier by Joe MacInnis.
Anonymous • July 24, 2006 4:07 PM
Here is an ISC report with mention of Nepenthes as part of their reseach on some questions on “TCP 1433 Traffic”
http://isc.sans.org/diary.php?storyid=1501