Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

Jianwei Zhuge, Thorsten Holz, Xinhui Han, Chengyu Song, Wei Zou

International Conference on Information and Communications Security (ICICS), LNCS 4861, Zhengzhou, China, December 2007


Autonomous spreading malware in the form of worms or bots has become a severe threat in today's Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.


tags: honeypots, Malware