Hunting for new malware systematically
The bad guys never stop producing new & variants of their malicious software (malware), and even though generic signatures and behavior-based analysis can catch many of them it is an arms race to find and write detection rules for them.
I have collected malware for some time now and doing it manually is quite time consuming, so here is how I do it in a more automated fashion.
Server honeypots
On the server honeypot side you can have more or less interactivity. More interactivity means getting more details out of the attacker, but also more administration. The opposite is true for low-interactive honeypots: less admin work, but the attacker can’t do very much with them either.
Personally I have low interaction server honeypots running all the time, while high-interaction honeypots are limited to when I have time to babysit them (like weekends etc).
Client honeypots
Client honeypots also comes in two sizes: one is working more or less like a spider, trying to go everywhere, download everything and run it against a detection engine (like ClamAV or Snort rules). High-interaction client honeypots are using a standard web browser (either Internet Explorer or Firefox) together with a file integrity monitor that spriders. Because of the more “live” client environment you tend to collect more malware that way.
I currently run low-interaction client honeypots and are building myself a high-interaction client honeypot. Reason is that it takes time to set the whole thing up, but with plentiful free virtualization software available it is getting easier and easier to create the required environments.
In a later installment I will describe the specifics of my honeypot environments, how they work and how to install them etc. Stay tuned.
