Honeypots. Honeypots are a great way to catch Internet worms that have more complex interactions. Most honeypots have port listeners and contain more complex interaction mechanisms if you need them. For example, most honeypots can easily handle malware requiring TCP handshakes and respond with prescripted commands. Many are simple to set up and have many logging and notification mechanisms already built in that make them perfect as virus traps.
Several people, including Laurent Oudot of the Rstack team (http://www.rstack.org)
used Honeyd (http://www.honeyd.org), a popular open-source honeypot, to catch
the MSBlaster worm when it was causing damage around the world. The worm was
looking for TCP port 135, so Honeyd users created a port listener on that port
by adding the following line to the Honeyd.config file:
add tcp port 135 open
The worm, finding this port open, would then attempt a DCOM remote procedure call (RPC) buffer overflow. On a real host, if the buffer overflow was successful, the worm then established a connection on TCP port 4444 and downloaded its main body by using Trivial FTP (TFTP) on TCP port 69.
In order to capture the worm, Honeyd users created a capturing service script called msblaster.sh and added it on port 4444 by using a Honeyd configuration command like the following:
add tcp port 4444
"sh msblaster.sh $ipsrc $ipdst"
The msblaster.sh script connected to the attacker and got the MSBlaster executable,
as follows:
tftp $1 << EOF
get msblast.exe
quit
EOF
The script used tftp.exe (located in the \system32 folder on most Windows machines)
to download msblaster.exe so that it could be examined. See "Honeyd vs Msblast.exe"
(http://www.citi.umich.edu/u/provos/honeyd/msblast.html) or the excellent "Fighting
Internet Worms With Honeypots" (http://www.securityfocus.com/infocus/1740)
for more details. Similar scripts and actions can be used to capture most scanning
Internet worms.
Sometimes you want to do more than simply capture a worm. The MSBlaster-capturing script articles named above contain a counterattack script that was used by some administrators to try to stop the onslaught of the MSBlaster worm. For more information about this offensive approach, see the sidebar "Taking It to the Worm," . For more details about running and configuring Honeyd, see "Honeypots for Windows," April 2004, InstantDoc ID 41976, and the Windows IT Security article "Honeyd for Windows," August 2003, InstantDoc ID 39428.
Virtual machines. If you want to capture the full interaction of malware with a near-real machine, you can't beat virtual machine software such as VMware Workstation (http://www.vmware.com) or Microsoft Virtual PC 2004 (http://www.microsoft.com/ windows/virtualpc/default.mspx). Virtual machine software can mimic the way in which a real PC would respond to virus and worm probes.
You can use a network sniffer such as the open-source Ethereal (http://www.ethereal
.com) on a virtual machine to monitor traffic to and from the virtual session
and use the free Regmon and Filemon utilities (http://www.sysinternals.com)
to discover what network traffic and registry and file system modifications
are taking place. See "Honeypots for Windows" and "Honeyd for Windows" for more
information about using virtual machine software as a honeypot or virus trap.
The key considerations are directing malicious traffic to only the intended
session and making sure the malware doesn't use the virtual session as a starting
point to attack other innocent computers. After your simple port listener, tarpit,
honeypot, or virtual machine session captures a piece of malware, you can examine
the bug in detail or submit it to an antivirus vendor for analysis. By implementing
a virus trap, you get early warning and verification of threats to your network.
End of Article
