Apart from antivirus and updates, which form an integral part of the security system. we also need something extra to protect our network and mission critical servers from those deadly zero-day bot attacks. Remember those horrible days, when worms and bots such as Welchia, Blaster and slammer attacked the Internet and no patches, upŽdates or antivirus were available to stop them. By the time patches were made available and drployed. these worms had already affected millions of machines. Such new worms and bots get created every day, and we must keep an eye on the wild for such threats. and inform antivirus compaŽnies if some unknown threat has attacked our network.

There is a common notion that this might require huge setups and a lot of investment; but, what if we tell you that for creating such a setup all you require is a percentage of one of your server resources and nothing else! You can create your own Honeypot for internal network or even for the Internet, which can detect worms and bots without spending a single penny for the software.

Here, in this article. we tell you how to set up such a Honeypot, and the whole process might not take more than an hour of your precious time.

Basic Concept
We will deploy a Honeypot called NeŽpenthes, a specialized Honeypot for trapŽping Windows-based bots and worms. It passively keeps an eye on the network for any kind of suspicious bot-like activities as soon as it finds something suspicious, it immediately downloads a copy of the binary at its own quarantine zone, and sends a copy of the same to the Norman Web- based sandbox along with your email id. Since, Nepenthes essentially runs on a Linux machine. so it doesn't get infected by those bots.

Norman Sandbox is a Web-based sandbox and binary analysis system, where anyone can upload any suspicious binary file. The Norman website instantly inspects the binary and sends a report back to the person who has uploaded the binary via email. When Nepenthes sends the binary to Norman Sandbox, you auŽtomatically get an email with a complete report about the suspicious binary if it is of a known bot or worm. But if the binaŽries have a signature of a new bot/worm, then it is recommended that you submit the binary file either to some antivirus service providers or to the sites such as Virus Total. which is used by about 2 O-odd antivirus vendors to get sample malicious specimens. Scenarios for deploying Nepenthes
There are two basic scenarios for deploying Nepenthes:

One way is to place your Honeypot within the local network. It is the standard configuration which most of the people follow. Here. the Honeypot wi!! only be able to keep an eye on the local network and wi!! send alerts in case any bot-like activity is found in the local network.

Other scenario is when you place your Honeypot on the Internet. Such a setup is good if you want to find new threats and submit them to the anŽtivirus solution providers for quick anŽtidotes, etc. Here, you have to place the Honeypot either in a DMZ or you have to place it open on the Internet with a dedicated connectivity.

Deploying Nepenthes

There are two installation methods that one can use for deploying Nepenthes. The first method is the traditional one, where \ you put up a standard Linux machine(most likely a Debian box), download and install the Nepenthes binaries, and then configure and run it.

The easiest way is to download the preconfigured Ubuntu-based 'Nepenthes Virtual Appliance' from Tiny URL - create a shorter link.
After downloading this virtual appliance, you can run it on any machine that runs VMWare Player or workstation. The machine should have at least 1 GB of RAM and around 2 GB of free disk space. Once you have booted your machine with the Nepenthes appliance, you have to provide the login to the terminal. For this, the default username is 'sparca' and the password is 'secure'.

Login with these credentials and you wi!! enter a command-line based Ubuntu environment. Configuring Nepenthes. You need to do certain configurations so that Nepenthes work properly. First, go to the / etc/nepenthes folder and open the subŽmit-norman.conf file by running the followŽing command:

This command will open the file in read/write mode with root privileges, and will hence ask for a password. Provide the same password that you used earlier to loŽgin. In the file that opens up, replace the quoted text by your own email address in the code line Email "your@emai!.domain".

Once you are through, reboot the app and your Honeypotis ready. Once it reboots, run the dhcpc!ient command to get an IP from your network. You've to run this comŽmand along with the sudo command. IIsudo dhcpclient

Now, go to the home folder of the 'sparca' user and you will see symlinked folder called binaries. This is the place where Nepenthes deals with all the suspicious biŽnaries. The binaries are stored with their MDS checkum values. And if you want to brush up your virus detection skills, you can open up these binaries in any hex editor and can see what exactly these bots do.